Improper Handling of URL Encoding (Hex Encoding) Affecting @fastify/static package, versions >=8.0.0 <9.1.1
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-FASTIFYSTATIC-16098210
- published17 Apr 2026
- disclosed16 Apr 2026
- creditBlake Embrey
Introduced: 16 Apr 2026
NewCVE-2026-6414 (opens in a new tab)How to fix?
Upgrade @fastify/static to version 9.1.1 or higher.
Overview
@fastify/static is a Plugin for serving static files as fast as possible.
Affected versions of this package are vulnerable to Improper Handling of URL Encoding (Hex Encoding) via the handling of percent-encoded path separators in the fastifyStatic() function. This creates a mismatch between Fastify's router guard and fastifyStatic() decoded response. An attacker can gain unauthorized access to protected files or sensitive information by sending specially crafted requests that exploit discrepancies in path decoding.