Listen to this Post
The flaw resides in the directory listing mechanism of @fastify/static. When the `list` option is enabled, the plugin uses the `dirList.path()` function to resolve the requested directory for listing. This function relies on `path.join()` to combine the configured static root with the user-supplied URL path. Normally, `path.join()` normalizes path segments, but it does not perform a security containment check against the original root directory.
An attacker can craft a request containing a relative path traversal sequence, such as /public/../outside/. The `path.join()` function resolves this sequence to a full filesystem path that exists outside the intended static root. Because there is no additional verification step to ensure the resolved path still resides within the root, the server proceeds to generate and return a directory listing for that external directory.
This allows a remote, unauthenticated attacker to list the contents of any directory accessible to the Node.js process, exposing directory and file names that should remain private. It is important to note that file contents are not disclosed; only the directory structure and file names are leaked.
The vulnerability affects all versions from 8.0.0 up to and including 9.1.0. It was fixed in version 9.1.1 by implementing a proper containment check after path resolution, preventing any resolved path from escaping the designated static root.
dailycve form:
Platform: Node.js Version: 8.0.0-9.1.0 Vulnerability: Path Traversal Severity: Medium date: Apr 16,2026 Prediction: Apr 16,2026
What Undercode Say:
Analytics:
Exploitation attempts typically spike within 24 hours of disclosure. Focus on scanning for directory listing endpoints with `list` enabled. Monitor logs for path traversal patterns like `%2e%2e%2f` or ../.
Bash commands and codes:
Check if directory listing is enabled grep -r "list:" node_modules/@fastify/static/ --include=".js" Search for vulnerable version in package.json grep '"@fastify/static"' package.json Test for vulnerability curl -k "https://target.com/public/../etc/"
Exploit:
GET /public/../outside/ HTTP/1.1 Host: vulnerable-site.com
The request returns a directory listing of the parent directory, leaking its contents.
Protection from this CVE:
- Upgrade to `@fastify/static` >= 9.1.1 immediately.
- If upgrade is not possible, disable the directory listing feature by removing the `list` option from the plugin configuration.
- Implement a custom middleware that validates the resolved path still lies within the static root.
Impact:
An unauthenticated attacker can enumerate the server’s filesystem structure, discovering configuration files, logs, source code, and other sensitive assets. While file contents are not directly exposed, the leaked metadata can be a critical stepping stone for further attacks.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

