CVE-2021-22964

Name of the Vulnerable Software and Affected Versions fastify-static versions 4.2.4 through 4.4.0

Description A redirect issue in the fastify-static module allows remote attackers to redirect Mozilla Firefox users to arbitrary websites via a double slash // followed by a domain. For example, http://localhost:3000//a//youtube.com/%2e%2e%2f%2e%2e. A DOS issue is possible if the URL contains invalid characters, such as curl --path-as-is "http://localhost:3000//^/..". The issue affects fastify-static applications that set the redirect: true option, which is false by default.

Recommendations For fastify-static versions 4.2.4 through 4.4.0, update to version 4.4.1 to resolve the issue. As a temporary workaround, consider setting the redirect option to false until the update is applied. Alternatively, sanitize the input URLs using the rewriteUrl server option if updating is not an option.