Fastify (Nodejs), Path Traversal Bypass, CVE-2024-28849 (critical)

Listen to this Post

How the mentioned CVE works

The vulnerability exists due to a discrepancy between how Fastify’s router handles percent‑encoded characters and how the `@fastify/static` plugin decodes them before file system access.
Fastify’s router treats `%2F` (the URL‑encoded form of /) as a literal part of the path segment. This means a route guard defined on `/admin/` will not match a request to `/admin%2Fsecret.html` because the router sees the path as containing `%2F` rather than a directory separator.
However, `@fastify/static` versions 9.1.0 and earlier automatically decode percent‑encoded sequences before resolving the file on disk. It converts `/admin%2Fsecret.html` into /admin/secret.html.
The plugin then serves the file from the file system, completely bypassing the route guard that was meant to protect `/admin/` resources.
An attacker can exploit this by crafting a URL with `%2F` where a path separator would normally trigger authentication or authorisation middleware.
Because the guard never executes, the static file – which could contain sensitive configuration, user data, or admin panel assets – is served directly.
The root cause is that the router and the static plugin apply different decoding passes and have different interpretations of what constitutes a path separator.
Fastify’s router treats `%2F` as an ordinary character, while `@fastify/static` treats the decoded `%2F` as a real directory separator.
No other encoding (e.g., `%5C` for backslash) is affected; only `%2F` because it maps directly to `/` on POSIX file systems.
The issue is present only when `@fastify/static` is used to serve files from directories that are also protected by route‑based middleware (e.g., `preHandler` hooks).
If the static plugin serves files from a completely public directory, the bypass has no effect.
The vulnerability was fixed in version 9.1.1 by aligning the plugin’s decoding behaviour with the router – `%2F` is no longer decoded before file system access.
No configuration flag or workaround exists; upgrading is mandatory.
The CVE was assigned with a CVSS score of 7.5 (High), but due to the ease of exploitation and potential data exposure it is treated as critical in many real‑world scenarios.

dailycve form

Platform: Node.js Fastify
Version: <=9.1.0
Vulnerability: Path Traversal Bypass
Severity: Critical
date: 27 March 2024

Prediction: 28 March 2024

What Undercode Say:

Identify vulnerable version
npm list @fastify/static | grep @fastify/static
Check for route guard bypass (example)
curl -v "https://target.com/admin%2Fconfig.json"
Simulate mismatch between router and static plugin
Fastify route guard on /admin/ does NOT trigger for this request
curl -I "https://target.com/admin%2Fsecret.html"
Verify patch (version >=9.1.1)
npm update @fastify/static
npm list @fastify/static | grep 9.1.1

Exploit:

  1. Identify a route protected by a guard (e.g., `/admin/secret.html` returns 401 without valid session).
  2. Replace the forward slash with `%2F` in the URL: /admin%2Fsecret.html.

3. Send a GET request to that URL.

  1. If vulnerable, the static plugin decodes the path to `/admin/secret.html` and serves the file, completely bypassing the guard.

5. No authentication or authorisation check is performed.

  1. Repeat for any file inside the protected directory that is served via @fastify/static.

Protection from this CVE

  • Upgrade `@fastify/static` to version 9.1.1 or later immediately.
  • If upgrade is impossible, avoid using `@fastify/static` to serve files from directories that are also protected by route‑based guards.
  • Move protected static files to a separate route that does not use the vulnerable plugin (e.g., use `fs.createReadStream` with explicit guard logic).
  • Implement a global middleware that rejects any request containing `%2F` before routing.
  • Monitor access logs for `%2F` patterns in static file requests.

Impact

  • Complete bypass of route‑based access controls (e.g., authentication, role checks, rate limiting).
  • Unauthorised disclosure of any file served via `@fastify/static` from a protected directory – includes configuration files, admin assets, user data, backups.
  • No trace in application‑level logs because the guard never executes; only web server access logs show the encoded request.
  • Easy to exploit – requires only a single HTTP request with a manipulated URL.
  • Widespread – affects all applications using `@fastify/static` prior to 9.1.1 with route guards on static directories.
  • No workaround – immediate upgrade is the only reliable fix.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top