CVE-2026-6414

16.04.2026, 13:16

@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators (%2F) before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by @fastify/static. For example, a route guard on a protected path can be circumvented by encoding the path separator in the URL. Upgrade to @fastify/static 9.1.1 to fix this issue. There are no workarounds.

Hex Encoding

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.9 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-177 - Improper Handling of URL Encoding (Hex Encoding)
The software does not properly handle when all or part of an input has been URL encoded.

References

https://cna.openjsf.org/security-advisories.html

https://github.com/fastify/fastify-static/security/advisories/GHSA-x428-ghpx-8j92

https://github.com/fastify/middie/security/advisories/GHSA-cxrg-g7r8-w69p

https://github.com/honojs/hono/security/advisories/GHSA-q5qw-h33p-qvwr