@fastify/static Path Traversal Vulnerability in Directory Listing

A path traversal vulnerability has been identified in the @fastify/static package, affecting versions 8.0.0 through 9.1.0. When directory listing is enabled via the 'list' option, the 'dirList.path()' function can resolve directories outside the configured static root. This is achieved using 'path.join()' without proper containment checks. As a result, a remote unauthenticated attacker can access directory listings of arbitrary directories available to the Node.js process, revealing directory and file names, although file contents remain undisclosed.

Impact

Exploitation of this vulnerability allows for unauthorized directory traversal, enabling access to directory listings outside the intended static root. This could lead to information disclosure of file and directory names that should not be accessible.

Remediation

Users are advised to upgrade to @fastify/static version 9.1.1 or later. As a temporary workaround, directory listing can be disabled by removing the 'list' option from the plugin configuration.