2458941 – (CVE-2026-6410) CVE-2026-6410 @fastify/static: @fastify/static: Information disclosure via path traversal when directory listing is enabled.

Bug 2458941 (CVE-2026-6410) - CVE-2026-6410 @fastify/static: @fastify/static: Information disclosure via path traversal when directory listing is enabled.

Summary: CVE-2026-6410 @fastify/static: @fastify/static: Information disclosure via pa...

Keywords:
Status:	NEW
Alias:	CVE-2026-6410
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-16 14:02 UTC by OSIDB Bzimport
Modified:	2026-04-16 19:52 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-16 14:02:03 UTC

@fastify/static versions 8.0.0 through 9.1.0 allow path traversal when directory listing is enabled via the list option. The dirList.path() function resolves directories outside the configured static root using path.join() without a containment check. A remote unauthenticated attacker can obtain directory listings for arbitrary directories accessible to the Node.js process, disclosing directory and file names. File contents are not disclosed. Upgrade to @fastify/static 9.1.1 to fix this issue. As a workaround, disable directory listing by removing the list option from the plugin configuration.

Note You need to log in before you can comment on or make changes to this bug.