@fastify/static Route Guard Bypass Vulnerability via Encoded Path Separators

A vulnerability exists in @fastify/static versions 8.0.0 through 9.1.0, where the package decodes percent-encoded path separators before resolving file paths, creating a mismatch with Fastify's routing that treats these characters literally. This inconsistency allows attackers to bypass route-based middleware or guards protecting files served by @fastify/static. For instance, a guard on a protected path can be evaded by encoding the path separator in the URL.

Impact

Bypassing route-based middleware or guards can lead to unauthorized access to protected files or endpoints.

Reproduction

To reproduce this vulnerability, first set up a Fastify application and register the @fastify/static plugin. Then, apply route-based middleware protections to specific paths. When a request is made to a protected path using an encoded separator, the middleware will be bypassed, and the request will be handled by the route as if it had not been encoded.

Remediation

Upgrade to @fastify/static version 9.1.1 or later.