Impact
A redirect vulnerability in the fastify-static module allows remote attackers to redirect Mozilla Firefox users to arbitrary websites via a double slash // followed by a domain: http://localhost:3000//a//youtube.com/%2e%2e%2f%2e%2e.
A DOS vulnerability is possible if the URL contains invalid characters curl --path-as-is "http://localhost:3000//^/.."
The issue shows up on all the fastify-static applications that set redirect: true option. By default, it is false.
Patches
The issue has been patched in fastify-static@4.4.1
Workarounds
If updating is not an option, you can sanitize the input URLs using the rewriteUrl server option.
References
For more information
If you have any questions or comments about this advisory:
Impact
A redirect vulnerability in the
fastify-staticmodule allows remote attackers to redirect Mozilla Firefox users to arbitrary websites via a double slash//followed by a domain:http://localhost:3000//a//youtube.com/%2e%2e%2f%2e%2e.A DOS vulnerability is possible if the URL contains invalid characters
curl --path-as-is "http://localhost:3000//^/.."The issue shows up on all the
fastify-staticapplications that setredirect: trueoption. By default, it isfalse.Patches
The issue has been patched in
fastify-static@4.4.1Workarounds
If updating is not an option, you can sanitize the input URLs using the
rewriteUrlserver option.References
For more information
If you have any questions or comments about this advisory: