Description
The default configuration of @fastify/swagger-ui without baseDir set will lead to all files in the module’s directory being exposed via http routes served by the module.
Recommendation
Update the @fastify/swagger-ui package to the latest compatible version. Followings are version details:
- Affected version(s): >= 2.0.0, < 2.1.0
- Patched version(s): 2.1.0
References
Related Issues
- FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration - CVE-2026-25894
- FUXA contains an insecure default configuration vulnerability - CVE-2025-69970
- files.photo.gallery command injection - CVE-2024-53615
- Saltcorn Server allows logged-in users to delete arbitrary files because of a path traversal vulnerability - CVE-2024-47818
- Tags:
- npm
- @fastify/swagger-ui
Anything's wrong? Let us know Last updated on February 16, 2024