CVE-2026-6410

Name of the Vulnerable Software and Affected Versions @fastify/static versions 8.0.0 through 9.1.0

Description Path traversal occurs when directory listing is enabled via the list option. The dirList.path() function resolves directories outside the configured static root using path.join() without a containment check. A remote unauthenticated attacker can obtain directory listings for arbitrary directories accessible to the Node.js process, disclosing directory and file names, although file contents are not disclosed.

Recommendations Upgrade to version 9.1.1. As a temporary workaround, disable directory listing by removing the list option from the plugin configuration.