fix(deps): update dependency @fastify/static to v9.1.1 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@fastify/static	9.0.0 → 9.1.1

---

@​fastify/static vulnerable to route guard bypass via encoded path separators

CVE-2026-6414 / GHSA-x428-ghpx-8j92

More information

Details

Impact

@fastify/static v9.1.0 and earlier decodes percent-encoded path separators (%2F) before filesystem resolution, but Fastify's router treats them as literal characters. This creates a routing mismatch: route guards on /admin/* do not match /admin%2Fsecret.html, but @​fastify/static decodes it to /admin/secret.html and serves the file.

Applications that rely on route-based middleware or guards to protect files served by @​fastify/static can be bypassed with encoded path separators.

Patches

Upgrade to @fastify/static >= 9.1.1.

Workarounds

None. Upgrade to the patched version.

Severity

• CVSS Score: 5.9 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References

• https://github.com/fastify/fastify-static/security/advisories/GHSA-x428-ghpx-8j92
• https://github.com/fastify/middie/security/advisories/GHSA-cxrg-g7r8-w69p
• https://github.com/honojs/hono/security/advisories/GHSA-q5qw-h33p-qvwr
• https://nvd.nist.gov/vuln/detail/CVE-2026-6414
• https://cna.openjsf.org/security-advisories.html
• https://github.com/advisories/GHSA-x428-ghpx-8j92

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

@​fastify/static vulnerable to path traversal in directory listing

CVE-2026-6410 / GHSA-pr96-94w5-mx2h

More information

Details

Impact

@fastify/static v9.1.0 and earlier serves directory listings outside the configured static root when the list option is enabled. A request such as /public/../outside/ causes dirList.path() to resolve a directory outside the root via path.join() without a containment check.

A remote unauthenticated attacker can obtain directory listings for arbitrary directories accessible to the Node.js process, disclosing directory names and filenames that should not be exposed. File contents are not disclosed.

Patches

Upgrade to @fastify/static >= 9.1.1.

Workarounds

Disable directory listing by removing the list option from the plugin configuration.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

• https://github.com/fastify/fastify-static/security/advisories/GHSA-pr96-94w5-mx2h
• https://nvd.nist.gov/vuln/detail/CVE-2026-6410
• https://cna.openjsf.org/security-advisories.html
• https://github.com/advisories/GHSA-pr96-94w5-mx2h

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

fastify/fastify-static (@​fastify/static)

v9.1.1

Compare Source

⚠️ Security Release

This fixes CVE CVE-2026-6410 GHSA-pr96-94w5-mx2h.
This fixes CVE CVE-2026-6414 GHSA-x428-ghpx-8j92.

What's Changed

• ci: add lock-threads workflow by @​Fdawgs in #​570

Full Changelog: fastify/fastify-static@v9.1.0...v9.1.1

v9.1.0

Compare Source

What's Changed

• build(deps-dev): bump @​types/node from 24.10.4 to 25.0.3 by @​dependabot[bot] in #​552
• test: move ignoreTrailingSlash under routerOptions by @​lraveri in #​553
• build(deps-dev): bump borp from 0.20.2 to 0.21.0 by @​dependabot[bot] in #​543
• chore: bump pino and borp dependencies, delete stale.yml by @​Tony133 in #​557
• chore: update syntax typescript by @​Tony133 in #​558
• chore(license): standardise license notice by @​Fdawgs in #​560
• fix: sendFile ignoring option overrides in some cases by @​bakugo in #​559
• chore: upgrade c8 to v11.0.0 and improvements test by @​Tony133 in #​564
• build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml from 5 to 6 by @​dependabot[bot] in #​566

New Contributors

• @​lraveri made their first contribution in #​553
• @​Tony133 made their first contribution in #​557
• @​bakugo made their first contribution in #​559

Full Changelog: fastify/fastify-static@v9.0.0...v9.1.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

📊 Benchmark results

Comparing with ca9d3ca

• Dependency count: 1,061 (no change)
• Package size: 357 MB ⬆️ 0.62% increase vs. ca9d3ca
• Number of ts-expect-error directives: 356 (no change)