Published: 14/10/2021 Updated: 20/10/2021

CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6

CVSS v3 Base Score: 8.8 | Impact Score: 5.3 | Exploitability Score: 2.8

VMScore: 605

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

A redirect vulnerability in the `fastify-static` module version >= 4.2.4 and < 4.4.1 allows remote malicious users to redirect Mozilla Firefox users to arbitrary websites via a double slash `//` followed by a domain: `localhost:3000//a//youtube.com/%2e%2e%2f%2e%2e`.A DOS vulnerability is possible if the URL contains invalid characters `curl --path-as-is "localhost:3000//^/.."`The issue shows up on all the `fastify-static` applications that set `redirect: true` option. By default, it is `false`.

Vulnerable Product	Search on Vulmon	Subscribe to Product
fastify fastify-static

A redirect vulnerability in the `fastify-static` module version &gt;= 424 and &lt; 441 allows remote attackers to redirect Mozilla Firefox users to arbitrary websites via a double slash `//` followed by a domain: `localhost:3000//a//youtubecom/%2e%2e%2f%2e%2e`A DOS vulnerability is possible if the URL contains invalid character ...

CWE-601 https://hackerone.com/reports/1361804 https://nvd.nist.gov https://access.redhat.com/security/cve/cve-2021-22964

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2021-22964

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect