fix(deps): update dependency @fastify/static to v9.1.1 [security] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@fastify/static	9.1.0 → 9.1.1

---

@​fastify/static vulnerable to route guard bypass via encoded path separators

CVE-2026-6414 / GHSA-x428-ghpx-8j92

More information

Details

Impact

@fastify/static v9.1.0 and earlier decodes percent-encoded path separators (%2F) before filesystem resolution, but Fastify's router treats them as literal characters. This creates a routing mismatch: route guards on /admin/* do not match /admin%2Fsecret.html, but @​fastify/static decodes it to /admin/secret.html and serves the file.

Applications that rely on route-based middleware or guards to protect files served by @​fastify/static can be bypassed with encoded path separators.

Patches

Upgrade to @fastify/static >= 9.1.1.

Workarounds

None. Upgrade to the patched version.

Severity

• CVSS Score: 5.9 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References

• https://github.com/fastify/fastify-static/security/advisories/GHSA-x428-ghpx-8j92
• https://github.com/fastify/middie/security/advisories/GHSA-cxrg-g7r8-w69p
• https://github.com/honojs/hono/security/advisories/GHSA-q5qw-h33p-qvwr
• https://nvd.nist.gov/vuln/detail/CVE-2026-6414
• https://cna.openjsf.org/security-advisories.html
• https://github.com/advisories/GHSA-x428-ghpx-8j92

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

@​fastify/static vulnerable to path traversal in directory listing

CVE-2026-6410 / GHSA-pr96-94w5-mx2h

More information

Details

Impact

@fastify/static v9.1.0 and earlier serves directory listings outside the configured static root when the list option is enabled. A request such as /public/../outside/ causes dirList.path() to resolve a directory outside the root via path.join() without a containment check.

A remote unauthenticated attacker can obtain directory listings for arbitrary directories accessible to the Node.js process, disclosing directory names and filenames that should not be exposed. File contents are not disclosed.

Patches

Upgrade to @fastify/static >= 9.1.1.

Workarounds

Disable directory listing by removing the list option from the plugin configuration.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

• https://github.com/fastify/fastify-static/security/advisories/GHSA-pr96-94w5-mx2h
• https://nvd.nist.gov/vuln/detail/CVE-2026-6410
• https://cna.openjsf.org/security-advisories.html
• https://github.com/advisories/GHSA-pr96-94w5-mx2h

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

@​fastify/static vulnerable to path traversal in directory listing

CVE-2026-6410 / GHSA-pr96-94w5-mx2h

More information

Details

Impact

@fastify/static v9.1.0 and earlier serves directory listings outside the configured static root when the list option is enabled. A request such as /public/../outside/ causes dirList.path() to resolve a directory outside the root via path.join() without a containment check.

A remote unauthenticated attacker can obtain directory listings for arbitrary directories accessible to the Node.js process, disclosing directory names and filenames that should not be exposed. File contents are not disclosed.

Patches

Upgrade to @fastify/static >= 9.1.1.

Workarounds

Disable directory listing by removing the list option from the plugin configuration.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

• https://github.com/fastify/fastify-static/security/advisories/GHSA-pr96-94w5-mx2h
• https://nvd.nist.gov/vuln/detail/CVE-2026-6410
• https://cna.openjsf.org/security-advisories.html
• https://github.com/fastify/fastify-static

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

@​fastify/static vulnerable to route guard bypass via encoded path separators

CVE-2026-6414 / GHSA-x428-ghpx-8j92

More information

Details

Impact

@fastify/static v9.1.0 and earlier decodes percent-encoded path separators (%2F) before filesystem resolution, but Fastify's router treats them as literal characters. This creates a routing mismatch: route guards on /admin/* do not match /admin%2Fsecret.html, but @​fastify/static decodes it to /admin/secret.html and serves the file.

Applications that rely on route-based middleware or guards to protect files served by @​fastify/static can be bypassed with encoded path separators.

Patches

Upgrade to @fastify/static >= 9.1.1.

Workarounds

None. Upgrade to the patched version.

Severity

• CVSS Score: 5.9 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References

• https://github.com/fastify/fastify-static/security/advisories/GHSA-x428-ghpx-8j92
• https://github.com/fastify/middie/security/advisories/GHSA-cxrg-g7r8-w69p
• https://github.com/honojs/hono/security/advisories/GHSA-q5qw-h33p-qvwr
• https://nvd.nist.gov/vuln/detail/CVE-2026-6414
• https://cna.openjsf.org/security-advisories.html
• https://github.com/fastify/fastify-static

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

fastify/fastify-static (@​fastify/static)

v9.1.1

Compare Source

⚠️ Security Release

This fixes CVE CVE-2026-6410 GHSA-pr96-94w5-mx2h.
This fixes CVE CVE-2026-6414 GHSA-x428-ghpx-8j92.

What's Changed

• ci: add lock-threads workflow by @​Fdawgs in #​570

Full Changelog: fastify/fastify-static@v9.1.0...v9.1.1

---

Configuration

📅 Schedule: (in timezone Asia/Tokyo)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 62.42%. Comparing base (a18c909) to head (ac5974d).
⚠️ Report is 40 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #17320      +/-   ##
===========================================
- Coverage    63.65%   62.42%   -1.24%     
===========================================
  Files         1161     1162       +1     
  Lines       116313   116557     +244     
  Branches      8407     9080     +673     
===========================================
- Hits         74042    72763    -1279     
- Misses       40063    41584    +1521     
- Partials      2208     2210       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

このPRによるapi.jsonの差分
差分はありません。
Get diff files from Workflow Page

[github-actions]

Backend memory usage comparison

Before GC

Metric	base (MB)	head (MB)	Diff (MB)	Diff (%)
VmRSS	296.95 MB	298.28 MB	+1.33 MB	+0.44%
VmHWM	296.95 MB	298.28 MB	+1.33 MB	+0.44%
VmSize	23094.86 MB	23097.06 MB	2.20 MB	0%
VmData	1358.92 MB	1360.66 MB	+1.74 MB	+0.12%

After GC

Metric	base (MB)	head (MB)	Diff (MB)	Diff (%)
VmRSS	296.96 MB	298.29 MB	+1.32 MB	+0.44%
VmHWM	296.96 MB	298.29 MB	+1.32 MB	+0.44%
VmSize	23095.19 MB	23097.23 MB	2.03 MB	0%
VmData	1359.25 MB	1360.82 MB	+1.57 MB	+0.11%

After Request

Metric	base (MB)	head (MB)	Diff (MB)	Diff (%)
VmRSS	297.36 MB	298.71 MB	+1.35 MB	+0.45%
VmHWM	297.38 MB	298.74 MB	+1.35 MB	+0.45%
VmSize	23095.27 MB	23097.39 MB	2.12 MB	0%
VmData	1359.33 MB	1360.99 MB	+1.65 MB	+0.12%

See workflow logs for details