Description
The default configuration of @fastify/swagger-ui without baseDir set will lead to all files in the module’s directory being exposed via http routes served by the module.
Recommendation
Update the @fastify/swagger-ui package to the latest compatible version. Followings are version details:
- Affected version(s): >= 2.0.0, < 2.1.0
- Patched version(s): 2.1.0
References
Related Issues
- Server secret was included in static assets and served to clients - Vulnerability
- seroval Affected by Prototype Pollution via JSON Deserialization - CVE-2026-23736
- ALTCHA Proof-of-Work Vulnerable to Challenge Splicing and Replay - CVE-2025-68113
- Astro vulnerable to reflected XSS via the server islands feature - CVE-2025-64764
- Tags:
- npm
- @fastify/swagger-ui
Anything's wrong? Let us know Last updated on February 16, 2024