CVE-2021-22963 Overview
A redirect vulnerability exists in the fastify-static module versions prior to 4.2.4 that allows remote attackers to redirect users to arbitrary external websites. This open redirect flaw is triggered by crafting URLs with a double slash (//) followed by a domain, combined with URL-encoded path traversal sequences. The vulnerability specifically affects fastify-static applications that have the redirect: true option enabled.
Critical Impact
Attackers can leverage this open redirect vulnerability to craft malicious URLs that appear legitimate but redirect users to attacker-controlled domains, enabling phishing attacks, credential theft, and malware distribution.
Affected Products
- fastify-static versions prior to 4.2.4
- Applications using fastify-static with redirect: true configuration option
Discovery Timeline
- 2021-10-14 - CVE-2021-22963 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-22963
Vulnerability Analysis
This vulnerability is classified as CWE-601 (URL Redirection to Untrusted Site, commonly known as Open Redirect). The fastify-static module, a popular static file serving plugin for the Fastify web framework, contains a flaw in its redirect handling logic when the redirect: true option is configured.
When processing requests containing specially crafted URL patterns, the module fails to properly validate and sanitize the redirect destination. An attacker can exploit this by constructing a URL with a double forward slash followed by a malicious domain and URL-encoded characters. For example, a request to http://localhost:3000//google.com/%2e%2e would cause the server to redirect users to the external domain.
The vulnerability requires user interaction (clicking on a malicious link) but can be exploited remotely over the network without any authentication or special privileges. The impact includes potential compromise of user confidentiality and integrity through phishing attacks, session hijacking, or delivery of malicious content.
Root Cause
The root cause lies in insufficient input validation within the redirect handling mechanism of fastify-static. When the module processes URLs with double slashes, it incorrectly interprets the subsequent path segment as a redirect target rather than as part of the local path. The URL-encoded path traversal sequences (%2e%2e representing ..) further manipulate the redirect logic, allowing attackers to break out of the intended redirect scope and direct users to arbitrary external domains.
Attack Vector
The attack is network-based and exploits the redirect functionality in fastify-static applications. An attacker crafts a malicious URL pointing to a vulnerable application server, embedding a double slash followed by their target domain. When a victim clicks this link (social engineering required), the vulnerable server responds with a redirect to the attacker-controlled site.
The exploitation pattern follows this structure: http://[vulnerable-host]:[port]//[malicious-domain]/%2e%2e. The double slash causes the module to treat the malicious domain as the redirect target, while the encoded path traversal helps bypass potential path validation. Since this attack requires user interaction (clicking the malicious link), social engineering typically accompanies technical exploitation.
Detection Methods for CVE-2021-22963
Indicators of Compromise
- Unusual redirect responses (HTTP 301/302) to external domains in server access logs
- URL patterns containing double slashes (//) followed by external domain names in request logs
- URL-encoded path traversal sequences (%2e%2e) in combination with redirect requests
- User reports of unexpected redirects when accessing legitimate application URLs
Detection Strategies
- Monitor web server access logs for requests containing double slash patterns followed by external domains
- Implement web application firewall (WAF) rules to detect and block URL patterns matching the exploit signature
- Analyze HTTP response codes and Location headers for redirects pointing to external domains
- Deploy intrusion detection signatures for URLs containing //[domain]/%2e%2e patterns
Monitoring Recommendations
- Enable verbose logging for the fastify-static module to capture redirect behavior
- Set up alerts for unusual outbound redirect patterns in application monitoring tools
- Review application configuration to identify instances where redirect: true is enabled
- Implement regular dependency scanning to identify vulnerable fastify-static versions
How to Mitigate CVE-2021-22963
Immediate Actions Required
- Upgrade fastify-static to version 4.2.4 or later immediately
- Audit application configurations and disable redirect: true if not strictly required
- Implement server-side validation of redirect destinations before processing
- Review access logs for any evidence of exploitation attempts
Patch Information
The vulnerability has been addressed in fastify-static version 4.2.4. Organizations should update their Node.js dependencies to include this patched version. The fix implements proper validation of redirect URLs to prevent redirection to external domains through double-slash URL manipulation.
For detailed information about this vulnerability, refer to the HackerOne Security Report #1354255.
Workarounds
- Set redirect: false in fastify-static configuration if redirect functionality is not required
- Implement a reverse proxy or WAF rule to filter requests containing double slash patterns followed by external domains
- Add application-level middleware to validate and sanitize incoming URL paths before they reach fastify-static
- Use URL allowlisting for any redirect functionality to ensure only trusted destinations are permitted
# Update fastify-static to patched version
npm update fastify-static
# Or specify minimum version in package.json
# "fastify-static": ">=4.2.4"
# Verify installed version
npm list fastify-static
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
