CVE-2026-6410 Overview
A path traversal vulnerability exists in @fastify/static versions 8.0.0 through 9.1.0 that allows remote unauthenticated attackers to obtain directory listings for arbitrary directories when the directory listing feature is enabled. The vulnerability stems from the dirList.path() function which resolves directories outside the configured static root using path.join() without proper containment checks.
Critical Impact
Remote unauthenticated attackers can enumerate directory structures and file names accessible to the Node.js process, potentially exposing sensitive application architecture and file naming conventions.
Affected Products
- @fastify/static versions 8.0.0 through 8.x
- @fastify/static versions 9.0.0 through 9.1.0
- Node.js applications using affected @fastify/static versions with directory listing enabled
Discovery Timeline
- 2026-04-16 - CVE CVE-2026-6410 published to NVD
- 2026-04-16 - Last updated in NVD database
Technical Details for CVE-2026-6410
Vulnerability Analysis
This path traversal vulnerability (CWE-22) affects the @fastify/static plugin for the Fastify web framework when directory listing is explicitly enabled via the list configuration option. The vulnerability allows attackers to traverse outside the intended static file directory and enumerate the contents of other directories accessible to the Node.js process.
The attack can be executed remotely over the network without authentication and requires no user interaction. While the vulnerability only exposes directory and file names (not file contents), this information disclosure can be leveraged for reconnaissance purposes to identify sensitive files, understand application structure, or locate additional attack surfaces.
Root Cause
The root cause lies in the dirList.path() function which uses Node.js path.join() to construct directory paths without implementing a containment check to ensure the resolved path remains within the configured static root directory. When user-supplied path segments containing directory traversal sequences (such as ../) are processed, the path.join() function resolves them to paths outside the intended root, and no subsequent validation prevents the directory listing from being returned.
Attack Vector
The attack vector is network-based and requires the target application to have directory listing enabled via the list option in the @fastify/static plugin configuration. An attacker can craft HTTP requests containing path traversal sequences to access directory listings outside the static root. The attack requires no privileges or authentication and can be executed without any user interaction.
A malicious request might target URLs like /static/../../../etc/ or similar paths depending on the application's route configuration. The server responds with a directory listing of the traversed path, exposing directory and file names to the attacker. While file contents cannot be retrieved through this vulnerability, the exposed metadata can facilitate further attacks.
Detection Methods for CVE-2026-6410
Indicators of Compromise
- HTTP requests to static file endpoints containing path traversal sequences such as ../, ..%2f, or ..%5c
- Unusual patterns in web server access logs showing repeated attempts to access parent directories
- Requests targeting system directories like /etc/, /var/, or application configuration directories
- Error responses or unexpected directory listings returned for non-standard paths
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block path traversal patterns in request URLs
- Monitor application logs for requests containing encoded or decoded directory traversal sequences
- Deploy intrusion detection systems (IDS) with signatures for path traversal attack patterns
- Review access logs for reconnaissance-style behavior targeting directory structures
Monitoring Recommendations
- Enable detailed access logging for all Fastify static file routes
- Configure alerting for requests containing .. sequences in URL paths
- Monitor for unusual spikes in 4xx/5xx responses on static file endpoints
- Implement rate limiting on static file routes to slow reconnaissance attempts
How to Mitigate CVE-2026-6410
Immediate Actions Required
- Upgrade @fastify/static to version 9.1.1 or later immediately
- Audit application configurations to identify instances where directory listing is enabled
- If directory listing is not required, disable it by removing the list option from plugin configuration
- Review access logs to determine if the vulnerability has been exploited
Patch Information
The vulnerability is resolved in @fastify/static version 9.1.1. Organizations should update their dependencies using their package manager. For npm users, run npm update @fastify/static to obtain the latest patched version. Verify the installed version with npm list @fastify/static to confirm remediation.
For additional details, refer to the GitHub Security Advisory GHSA-pr96-94w5-mx2h and the OpenJS Foundation Security Advisories.
Workarounds
- Disable directory listing entirely by removing the list option from the @fastify/static plugin configuration
- Implement a reverse proxy with path validation rules to filter malicious requests before they reach the application
- Deploy a web application firewall to block requests containing path traversal sequences
- Restrict the Node.js process permissions to limit accessible directories
# Package update commands for remediation
# Update @fastify/static to patched version
npm update @fastify/static
# Verify installed version
npm list @fastify/static
# For yarn users
yarn upgrade @fastify/static
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
