{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6414", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-04-15T23:37:33.949Z", "datePublished": "2026-04-16T13:09:03.526Z", "dateUpdated": "2026-04-16T13:48:52.393Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-04-16T13:09:03.526Z"}, "descriptions": [{"lang": "en", "value": "@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators (%2F) before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by @fastify/static. For example, a route guard on a protected path can be circumvented by encoding the path separator in the URL. Upgrade to @fastify/static 9.1.1 to fix this issue. There are no workarounds.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators (%2F) before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by @fastify/static. For example, a route guard on a protected path can be circumvented by encoding the path separator in the URL. Upgrade to @fastify/static 9.1.1 to fix this issue. There are no workarounds."}]}], "affected": [{"vendor": "@fastify/static", "product": "@fastify/static", "defaultStatus": "unaffected", "versions": [{"versionType": "semver", "status": "affected", "version": "8.0.0", "lessThan": "9.1.1"}, {"versionType": "semver", "status": "unaffected", "version": "9.1.1"}], "packageURL": "pkg:npm/@fastify/static"}], "references": [{"url": "https://github.com/fastify/middie/security/advisories/GHSA-cxrg-g7r8-w69p"}, {"url": "https://github.com/honojs/hono/security/advisories/GHSA-q5qw-h33p-qvwr"}, {"url": "https://github.com/fastify/fastify-static/security/advisories/GHSA-x428-ghpx-8j92"}, {"url": "https://cna.openjsf.org/security-advisories.html"}], "credits": [{"lang": "en", "type": "reporter", "value": "blakeembrey"}, {"lang": "en", "type": "remediation developer", "value": "mcollina"}, {"lang": "en", "type": "remediation reviewer", "value": "UlisesGascon"}, {"lang": "en", "type": "remediation reviewer", "value": "climba03003"}], "title": "@fastify/static vulnerable to route guard bypass via encoded path separators", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.9, "baseSeverity": "MEDIUM"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-177", "lang": "en", "description": "CWE-177: Improper Handling of URL Encoding (Hex Encoding)", "type": "CWE"}]}], "x_generator": {"engine": "cve-kit 1.0.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T13:48:04.954479Z", "id": "CVE-2026-6414", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T13:48:52.393Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6414", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-16T13:48:04.954479Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T13:48:41.093Z"}}], "cna": {"title": "@fastify/static vulnerable to route guard bypass via encoded path separators", "credits": [{"lang": "en", "type": "reporter", "value": "blakeembrey"}, {"lang": "en", "type": "remediation developer", "value": "mcollina"}, {"lang": "en", "type": "remediation reviewer", "value": "UlisesGascon"}, {"lang": "en", "type": "remediation reviewer", "value": "climba03003"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 5.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "@fastify/static", "product": "@fastify/static", "versions": [{"status": "affected", "version": "8.0.0", "lessThan": "9.1.1", "versionType": "semver"}, {"status": "unaffected", "version": "9.1.1", "versionType": "semver"}], "packageURL": "pkg:npm/@fastify/static", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/fastify/middie/security/advisories/GHSA-cxrg-g7r8-w69p"}, {"url": "https://github.com/honojs/hono/security/advisories/GHSA-q5qw-h33p-qvwr"}, {"url": "https://github.com/fastify/fastify-static/security/advisories/GHSA-x428-ghpx-8j92"}, {"url": "https://cna.openjsf.org/security-advisories.html"}], "x_generator": {"engine": "cve-kit 1.0.0"}, "descriptions": [{"lang": "en", "value": "@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators (%2F) before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by @fastify/static. For example, a route guard on a protected path can be circumvented by encoding the path separator in the URL. Upgrade to @fastify/static 9.1.1 to fix this issue. There are no workarounds.", "supportingMedia": [{"type": "text/html", "value": "@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators (%2F) before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by @fastify/static. For example, a route guard on a protected path can be circumvented by encoding the path separator in the URL. Upgrade to @fastify/static 9.1.1 to fix this issue. There are no workarounds.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-177", "description": "CWE-177: Improper Handling of URL Encoding (Hex Encoding)"}]}], "providerMetadata": {"orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-04-16T13:09:03.526Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6414", "state": "PUBLISHED", "dateUpdated": "2026-04-16T13:48:52.393Z", "dateReserved": "2026-04-15T23:37:33.949Z", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "datePublished": "2026-04-16T13:09:03.526Z", "assignerShortName": "openjs"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators (%2F) before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by @fastify/static. For example, a route guard on a protected path can be circumvented by encoding the path separator in the URL. Upgrade to @fastify/static 9.1.1 to fix this issue. There are no workarounds."}], "id": "CVE-2026-6414", "lastModified": "2026-04-16T13:16:52.243", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "type": "Secondary"}]}, "published": "2026-04-16T13:16:52.243", "references": [{"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "url": "https://cna.openjsf.org/security-advisories.html"}, {"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "url": "https://github.com/fastify/fastify-static/security/advisories/GHSA-x428-ghpx-8j92"}, {"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "url": "https://github.com/fastify/middie/security/advisories/GHSA-cxrg-g7r8-w69p"}, {"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "url": "https://github.com/honojs/hono/security/advisories/GHSA-q5qw-h33p-qvwr"}], "sourceIdentifier": "ce714d77-add3-4f53-aff5-83d477b104bb", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-177"}], "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "type": "Secondary"}]}

{"bugzilla": {"description": "@fastify/static: @fastify/static: Security bypass via percent-encoded path separators", "id": "2458939", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458939"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-76", "details": ["A flaw was found in @fastify/static. A remote attacker can exploit this vulnerability by sending specially crafted requests that include percent-encoded path separators. This mismatch in how @fastify/static decodes these separators compared to the Fastify router allows the attacker to bypass security measures such as route-based middleware or guards. Consequently, this can lead to unauthorized access to protected files or information disclosure."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-6414", "package_state": [{"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-rocm-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/disk-image-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-dashboard-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-dashboard-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-mod-arch-gen-ai-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-mod-arch-maas-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-mod-arch-model-registry-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Fix deferred", "package_name": "devspaces/dashboard-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}], "public_date": "2026-04-16T13:09:03Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-6414\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-6414\nhttps://cna.openjsf.org/security-advisories.html\nhttps://github.com/fastify/fastify-static/security/advisories/GHSA-x428-ghpx-8j92\nhttps://github.com/fastify/middie/security/advisories/GHSA-cxrg-g7r8-w69p\nhttps://github.com/honojs/hono/security/advisories/GHSA-q5qw-h33p-qvwr"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.0.0,9.1.1)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "9.1.1"}}], "enrichment": {"confidence": 85.0, "confidence_source": "matching", "scores": [{"score": 85.0, "source": "matching"}]}, "original": {"product": "@fastify/static", "source": "cna", "vendor": "@fastify/static"}, "product": "fastify-static", "vendor": "fastify"}], "analysis": {"en": {"generated_at": "2026-04-17T03:24:33.022004+00:00", "value": {"mitigation_remediation": ["Upgrade @fastify/static to version 9.1.1 or later.", "Update any custom middleware or route guards that rely on the Fastify router\u2019s interpretation of encoded path separators to accommodate the plugin\u2019s new behavior.", "Implement a pre\u2011router validation step that rejects or logs requests containing percent\u2011encoded slash characters, adding an extra barrier against future bypass attempts.", "Conduct a security review of static asset routing to ensure that sensitive files are not exposed through static folders or incorrectly configured routes."], "summary": {"action": "Immediate Patch", "impact": "Route Guard Bypass via Encoded Path Separators"}, "threat_synthesis": {"affected_systems": "Node.js applications that use @fastify/static (catalogued as @fastify/static) are affected in all releases from 8.0.0 through 9.1.0. The vulnerability also applies to frameworks that employ the forked version of @fastify/static, such as Hono.", "description_and_impact": "The vulnerability in @fastify/static between versions 8.0.0 and 9.1.0 involves the plugin decoding percent\u2011encoded path separators (%2F) before resolving the file system path, while the Fastify router treats the encoded sequence as a literal slash. This inconsistency lets an attacker craft a URL that bypasses route\u2011based middleware or guards placed around static asset routes. The attack does not provide code execution but can expose files that should be protected. Based on the description, it is inferred that access to otherwise restricted static content may be gained. The weakness is related to CWE\u2011177 (Path Traversal) and CWE\u201176 (Improper Handling of Encoded Input).", "risk_and_exploitability": "The CVSS score of 5.9 denotes moderate severity. EPSS is not available, and the vulnerability is not listed in CISA\u2019s KEV catalog. The ability to bypass route guards depends on receiving an HTTP request containing percent\u2011encoded slash characters; this request is trivial to construct. Based on the description, it is inferred that bypassing the guard may reveal confidential files, potentially resulting in data disclosure. No remote code execution is provided, but the exposure of sensitive assets could have significant business impact."}}}}, "created": "2026-04-16T18:58:32.603049+00:00", "updated": "2026-04-17T03:30:08.592030+00:00", "vendors": ["fastify", "fastify$PRODUCT$fastify-static"]}