Login Sign Up

CVE-2021-22964

8.8 HIGH
Denial of Service Path Traversal Open Redirect

📋 TL;DR

A path traversal vulnerability in fastify-static module allows attackers to redirect Firefox users to arbitrary websites via crafted URLs containing double slashes. It also enables denial-of-service attacks through invalid characters. Only applications with the redirect:true option enabled are affected.

💻 Affected Systems

Products:
  • fastify-static
Versions: >=4.2.4 and <4.4.1
Operating Systems: All
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when redirect:true option is explicitly set. Default configuration is redirect:false.

📦 What is this software?

Fastify Static by Fastify

View all CVEs affecting Fastify Static →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could redirect users to malicious phishing sites or cause service disruption through DoS attacks, potentially leading to credential theft or service unavailability.

🟠

Likely Case

Most probable impact is limited DoS attacks or redirection to unwanted sites for Firefox users accessing vulnerable applications.

🟢

If Mitigated

With redirect:false (default), no impact. With proper input validation and updated versions, minimal risk.

🌐 Internet-Facing: HIGH for applications with redirect:true enabled, as exploitation requires no authentication and is simple.
🏢 Internal Only: MEDIUM for internal applications with redirect:true, as exploitation still possible but attack surface reduced.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires crafting URLs with double slashes or invalid characters. Firefox specifically vulnerable to redirection.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.4.1

Vendor Advisory: https://github.com/fastify/fastify-static/security/advisories/GHSA-8w3w-2jfq-9q5q

Restart Required: Yes

Instructions:

1. Update fastify-static to version 4.4.1 or later. 2. Run npm update fastify-static or yarn upgrade fastify-static. 3. Restart your application.

🔧 Temporary Workarounds

Disable redirect option

all

Set redirect option to false in fastify-static configuration

In your fastify-static configuration, ensure: redirect: false

🧯 If You Can't Patch

  • Implement WAF rules to block URLs containing double slashes followed by domains
  • Use reverse proxy to sanitize and validate incoming URLs before reaching application

🔍 How to Verify

Check if Vulnerable:

Check package.json for fastify-static version and verify if redirect:true is configured

Check Version:

npm list fastify-static or check package.json version

Verify Fix Applied:

Confirm fastify-static version is >=4.4.1 and test with known exploit URLs

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests containing // followed by domain names
  • Requests with invalid characters like ^ in URL paths

Network Indicators:

  • Unusual redirect patterns from your application
  • HTTP 302/301 responses to unexpected domains

SIEM Query:

http.url:*//* AND http.status_code:302

📊 Metadata

CVE ID: CVE-2021-22964
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:H
CWE: CWE-400
Published: October 14, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-22964, you might also want to check these:

CVE-2024-45166 9.8

UCI IDOL2 through version 2.12 contains multiple memory corruption vulnerabilities due to improper i...

Same vulnerability type (CWE-400)
CVE-2025-61303 9.8

This vulnerability in Hatching Triage Sandbox allows malware samples to evade detection by recursive...

Same vulnerability type (CWE-400)
CVE-2024-39462 9.8

This is a Linux kernel memory corruption vulnerability in the BCM2711 DVP clock driver where array b...

Same vulnerability type (CWE-400)