CVE-2026-6410
@fastify/static vulnerable to path traversal in directory listing
Description
### Impact `@fastify/static` v9.1.0 and earlier serves directory listings outside the configured static root when the `list` option is enabled. A request such as `/public/../outside/` causes `dirList.path()` to resolve a directory outside the root via `path.join()` without a containment check. A remote unauthenticated attacker can obtain directory listings for arbitrary directories accessible to the Node.js process, disclosing directory names and filenames that should not be exposed. File contents are not disclosed. ### Patches Upgrade to `@fastify/static` >= 9.1.1. ### Workarounds Disable directory listing by removing the `list` option from the plugin configuration.
How to fix CVE-2026-6410
To remediate CVE-2026-6410, upgrade the affected package to a fixed version below.
- —upgrade to 9.1.1 or later
Is CVE-2026-6410 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 8.0.0, < 9.1.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |