{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6410", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-04-15T22:59:38.193Z", "datePublished": "2026-04-16T13:29:08.120Z", "dateUpdated": "2026-04-16T14:19:36.780Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-04-16T13:29:08.120Z"}, "descriptions": [{"lang": "en", "value": "@fastify/static versions 8.0.0 through 9.1.0 allow path traversal when directory listing is enabled via the list option. The dirList.path() function resolves directories outside the configured static root using path.join() without a containment check. A remote unauthenticated attacker can obtain directory listings for arbitrary directories accessible to the Node.js process, disclosing directory and file names. File contents are not disclosed. Upgrade to @fastify/static 9.1.1 to fix this issue. As a workaround, disable directory listing by removing the list option from the plugin configuration.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "@fastify/static versions 8.0.0 through 9.1.0 allow path traversal when directory listing is enabled via the list option. The dirList.path() function resolves directories outside the configured static root using path.join() without a containment check. A remote unauthenticated attacker can obtain directory listings for arbitrary directories accessible to the Node.js process, disclosing directory and file names. File contents are not disclosed. Upgrade to @fastify/static 9.1.1 to fix this issue. As a workaround, disable directory listing by removing the list option from the plugin configuration."}]}], "affected": [{"vendor": "@fastify/static", "product": "@fastify/static", "defaultStatus": "unaffected", "versions": [{"versionType": "semver", "status": "affected", "version": "8.0.0", "lessThan": "9.1.1"}, {"versionType": "semver", "status": "unaffected", "version": "9.1.1"}], "packageURL": "pkg:npm/@fastify/static"}], "references": [{"url": "https://github.com/fastify/fastify-static/security/advisories/GHSA-pr96-94w5-mx2h"}, {"url": "https://cna.openjsf.org/security-advisories.html"}], "credits": [{"lang": "en", "type": "finder", "value": "yuki-matsuhashi"}, {"lang": "en", "type": "remediation developer", "value": "mcollina"}, {"lang": "en", "type": "remediation reviewer", "value": "UlisesGascon"}, {"lang": "en", "type": "remediation reviewer", "value": "climba03003"}], "title": "@fastify/static vulnerable to path traversal in directory listing", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "x_generator": {"engine": "cve-kit 1.0.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T14:19:22.028552Z", "id": "CVE-2026-6410", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T14:19:36.780Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6410", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-04-15T22:59:38.193Z", "datePublished": "2026-04-16T13:29:08.120Z", "dateUpdated": "2026-04-16T14:19:36.780Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-04-16T13:29:08.120Z"}, "descriptions": [{"lang": "en", "value": "@fastify/static versions 8.0.0 through 9.1.0 allow path traversal when directory listing is enabled via the list option. The dirList.path() function resolves directories outside the configured static root using path.join() without a containment check. A remote unauthenticated attacker can obtain directory listings for arbitrary directories accessible to the Node.js process, disclosing directory and file names. File contents are not disclosed. Upgrade to @fastify/static 9.1.1 to fix this issue. As a workaround, disable directory listing by removing the list option from the plugin configuration.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "@fastify/static versions 8.0.0 through 9.1.0 allow path traversal when directory listing is enabled via the list option. The dirList.path() function resolves directories outside the configured static root using path.join() without a containment check. A remote unauthenticated attacker can obtain directory listings for arbitrary directories accessible to the Node.js process, disclosing directory and file names. File contents are not disclosed. Upgrade to @fastify/static 9.1.1 to fix this issue. As a workaround, disable directory listing by removing the list option from the plugin configuration."}]}], "affected": [{"vendor": "@fastify/static", "product": "@fastify/static", "defaultStatus": "unaffected", "versions": [{"versionType": "semver", "status": "affected", "version": "8.0.0", "lessThan": "9.1.1"}, {"versionType": "semver", "status": "unaffected", "version": "9.1.1"}], "packageURL": "pkg:npm/@fastify/static"}], "references": [{"url": "https://github.com/fastify/fastify-static/security/advisories/GHSA-pr96-94w5-mx2h"}, {"url": "https://cna.openjsf.org/security-advisories.html"}], "credits": [{"lang": "en", "type": "finder", "value": "yuki-matsuhashi"}, {"lang": "en", "type": "remediation developer", "value": "mcollina"}, {"lang": "en", "type": "remediation reviewer", "value": "UlisesGascon"}, {"lang": "en", "type": "remediation reviewer", "value": "climba03003"}], "title": "@fastify/static vulnerable to path traversal in directory listing", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "x_generator": {"engine": "cve-kit 1.0.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6410", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-16T14:19:22.028552Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T14:19:32.758Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "@fastify/static versions 8.0.0 through 9.1.0 allow path traversal when directory listing is enabled via the list option. The dirList.path() function resolves directories outside the configured static root using path.join() without a containment check. A remote unauthenticated attacker can obtain directory listings for arbitrary directories accessible to the Node.js process, disclosing directory and file names. File contents are not disclosed. Upgrade to @fastify/static 9.1.1 to fix this issue. As a workaround, disable directory listing by removing the list option from the plugin configuration."}], "id": "CVE-2026-6410", "lastModified": "2026-04-16T14:16:20.173", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "type": "Secondary"}]}, "published": "2026-04-16T14:16:20.173", "references": [{"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "url": "https://cna.openjsf.org/security-advisories.html"}, {"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "url": "https://github.com/fastify/fastify-static/security/advisories/GHSA-pr96-94w5-mx2h"}], "sourceIdentifier": "ce714d77-add3-4f53-aff5-83d477b104bb", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "type": "Secondary"}]}

{"bugzilla": {"description": "@fastify/static: @fastify/static: Information disclosure via path traversal when directory listing is enabled.", "id": "2458941", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458941"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-22", "details": ["A flaw was found in @fastify/static. When directory listing is enabled, a remote unauthenticated attacker can exploit a path traversal vulnerability. This occurs because the dirList.path() function incorrectly resolves directories outside the configured static root. Successful exploitation allows the attacker to obtain directory listings for arbitrary directories, leading to the disclosure of directory and file names."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-6410", "package_state": [{"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-rocm-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/disk-image-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-dashboard-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-dashboard-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-mod-arch-gen-ai-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-mod-arch-maas-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-mod-arch-model-registry-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Fix deferred", "package_name": "devspaces/dashboard-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}], "public_date": "2026-04-16T13:29:08Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-6410\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-6410\nhttps://cna.openjsf.org/security-advisories.html\nhttps://github.com/fastify/fastify-static/security/advisories/GHSA-pr96-94w5-mx2h"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.0.0,9.1.1)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "9.1.1"}}], "enrichment": {"confidence": 85.0, "confidence_source": "matching", "scores": [{"score": 85.0, "source": "matching"}]}, "original": {"product": "@fastify/static", "source": "cna", "vendor": "@fastify/static"}, "product": "fastify-static", "vendor": "fastify"}], "analysis": {"en": {"generated_at": "2026-04-17T02:59:15.202655+00:00", "value": {"mitigation_remediation": ["Upgrade to @fastify/static 9.1.1 or later", "If an upgrade cannot be performed immediately, disable directory listing by removing the list option from the plugin configuration", "Restrict the Node.js process file system permissions so that it only has access to the directories that must be served"], "summary": {"action": "Apply Patch", "impact": "Directory information disclosure"}, "threat_synthesis": {"affected_systems": "Node.js applications that depend on @fastify/static versions 8.0.0 through 9.1.0 and have the directory listing (list) option enabled are affected. Any deployment using one of these plugin versions is at risk.", "description_and_impact": "The vulnerability in @fastify/static allows a path traversal flaw when directory listing is enabled. A remote unauthenticated attacker can cause the plugin to resolve directories outside the configured static root and return the names of files and subdirectories present on any directory reachable by the Node.js process. The file contents themselves are not exposed, but the leaked names can aid in reconnaissance and further attacks.", "risk_and_exploitability": "The vulnerability has a CVSS score of 5.3, indicating moderate severity. No EPSS score is available, and it is not listed in the CISA KEV catalog, but the remote unauthenticated access model and lack of containment checks make exploitation relatively straightforward for an attacker who can trigger the directory listing. The impact consists of exposing directory and file names to the attacker, which undermines confidentiality and may facilitate further exploitation."}}}}, "created": "2026-04-16T18:58:31.492289+00:00", "updated": "2026-04-17T03:00:08.465789+00:00", "vendors": ["fastify", "fastify$PRODUCT$fastify-static"]}