CVE-2026-6414

Description

@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators (%2F) before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by @fastify/static. For example, a route guard on a protected path can be circumvented by encoding the path separator in the URL. Upgrade to @fastify/static 9.1.1 to fix this issue. There are no workarounds.

CVSS v3.1 Score

5.9

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS — Exploit Prediction

0.0001

Probability of exploitation

0.03%

Percentile rank

EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.

Weakness Type (CWE)

CWE-177 CWE-177

Affected Products

Vendor	Product	Versions
fastify	fastify-static	8.0.0 — 9.1.1

References

Advisories & Patches

https://github.com/fastify/fastify-static/security/advisories/GHSA-x428-ghpx-8j92

Other References

https://cna.openjsf.org/security-advisories.html https://github.com/fastify/middie/security/advisories/GHSA-cxrg-g7r8-w69p https://github.com/honojs/hono/security/advisories/GHSA-q5qw-h33p-qvwr

Frequently Asked Questions

What is CVE-2026-6414? +

@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators (%2F) before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by @fastify/static. For example, a route guard on a protected path can be circumvented by encoding the path separator in the URL. Upgrade to @fastify/static 9.1.1 to fix this issue. There are no workarounds. It has a CVSS v3.1 base score of 5.9 (MEDIUM).

How severe is CVE-2026-6414? +

CVE-2026-6414 has a CVSS v3.1 score of 5.9 out of 10, rated MEDIUM. This is a medium-severity vulnerability that should be remediated as part of regular maintenance. The EPSS score is 0.0001, placing it in the 0th percentile for exploitation probability.

What products are affected by CVE-2026-6414? +

CVE-2026-6414 affects products from fastify, specifically: fastify-static. Check the affected products table above for specific version ranges.

How do I check if I'm vulnerable to CVE-2026-6414? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2024-23983

Improper handling of canonical URL-encoding may lead to bypass not properly constrained by request rules.

CVE-2024-48866 5.3

An improper handling of URL encoding (Hex Encoding) vulnerability has been reported to affect several QNAP operating system versions. If …

CVE-2025-11990 3.1

GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.4.4, and 18.5 before 18.5.2 that …

CVE-2026-6270 9.1

@fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application …

CVE-2025-32442 7.5

Fastify is a fast and low overhead web framework, for Node.js. In versions 5.0.0 to 5.3.0 as well as version …

CVE-2026-33804 7.4

@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware …