CVE-2021-22964 Information
Description
A redirect vulnerability in the fastify-static module version >= 4.2.4 and < 4.4.1 allows remote attackers to redirect Mozilla Firefox users to arbitrary websites via a double slash // followed by a domain: http://localhost:3000//a//youtube.com/%2e%2e%2f%2e%2e.A DOS vulnerability is possible if the URL contains invalid characters curl --path-as-is \http://localhost:3000//^/..\The issue shows up on all the fastify-static applications that set redirect: true option. By default it is false.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:H
Reference
https://hackerone.com/reports/1361804
A
redirect
vulnerability
in
the
fastify-static
module
version
= 4.2.4 and < 4.4.1 allows remote attackers to redirect Mozilla Firefox users to arbitrary websites via a double slash
//followed by a domain:[***http://localhost:3000//a//youtube.com/%2e%2e%2f%2e%2e.A***](http://localhost:3000//a//youtube.com/%2e%2e%2f%2e%2e.A) DOS vulnerability is possible if the URL contains invalid characterscurl –path-as-is [http://localhost:3000//^/..`The](http://localhost:3000//^/..`The) issue shows up on all thefastify-staticapplications that setredirect: trueoption. By default it isfalse.
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
REQUIRED
Confidentiality Impact
CHANGED
Integrity Impact
LOW
Availability Impact
LOW
Base Score
HIGH
Base Severity
8.8
Share on: