Description
The default configuration of @fastify/swagger-ui without baseDir set will lead to all files in the module’s directory being exposed via http routes served by the module.
Recommendation
Update the @fastify/swagger-ui package to the latest compatible version. Followings are version details:
- Affected version(s): >= 2.0.0, < 2.1.0
- Patched version(s): 2.1.0
References
Related Issues
- files.photo.gallery command injection - CVE-2024-53615
- Redoc Prototype Pollution via `Module.mergeObjects` Component - CVE-2024-57083
- FUXA contains an insecure default configuration vulnerability - CVE-2025-69970
- FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration - CVE-2026-25894
You might also like:
- Tags:
- npm
- @fastify/swagger-ui
Anything's wrong? Let us know Last updated on February 16, 2024


