CVE-2026-6414

Name of the Vulnerable Software and Affected Versions @fastify/static versions 8.0.0 through 9.1.0

Description @fastify/static decodes percent-encoded path separators ('%2F') before filesystem resolution, whereas the Fastify router treats them as literal characters. This discrepancy allows for a routing mismatch where route guards or middleware protecting specific paths can be bypassed. For instance, a guard protecting '/admin/*' will not match a request for '/admin%2Fsecret.html', but the software will decode the request and serve the file from '/admin/secret.html'.

Recommendations Upgrade to @fastify/static version 9.1.1.