8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-22964

GHSA ID

GHSA-pgh6-m65r-2rhq

EPSS Score

0.5754%

CWE

CWE-248

Published

10/12/2021

Updated

2/1/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-22964

CVE-2021-22964: DOS and Open Redirect with user input

Impact

A redirect vulnerability in the fastify-static module allows remote attackers to redirect Mozilla Firefox users to arbitrary websites via a double slash // followed by a domain: http://localhost:3000//a//youtube.com/%2e%2e%2f%2e%2e.

A DOS vulnerability is possible if the URL contains invalid characters curl --path-as-is "http://localhost:3000//^/.."

The issue shows up on all the fastify-static applications that set redirect: true option. By default, it is false.

Patches

The issue has been patched in fastify-static@4.4.1

Workarounds

If updating is not an option, you can sanitize the input URLs using the rewriteUrl server option.

References

Bug founder: drstrnegth
hackerone Report

For more information

If you have any questions or comments about this advisory:

Open an issue in fastify-static
Contact the security team

(GitHub Advisory)

8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-22964

GHSA ID

GHSA-pgh6-m65r-2rhq

EPSS Score

0.5754%

CWE

CWE-248

Published

10/12/2021

Updated

2/1/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
fastify-static	npm	>= 4.2.4, < 4.4.1	4.4.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key points:

getRedirectUrl() lacked validation for protocol-relative paths (//) and error handling for URL parsing, enabling open redirects and DOS via malformed URLs.
The route handler executed getRedirectUrl() without a try/catch block, letting parsing errors propagate as uncaught exceptions. The patch added input validation to getRedirectUrl and error handling in the route handler, confirming these were the vulnerable points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * r**ir**t vuln*r**ility in t** `**sti*y-st*ti*` mo*ul* *llows r*mot* *tt**k*rs to r**ir**t Mozill* *ir**ox us*rs to *r*itr*ry w**sit*s vi* * *ou*l* sl*s* `//` *ollow** *y * *om*in: `*ttp://lo**l*ost:****//*//youtu**.*om/%**%**%**%**%**`.

Reasoning

T** vuln*r**ility st*ms *rom two k*y points: *. **tR**ir**tUrl() l**k** v*li**tion *or proto*ol-r*l*tiv* p*t*s (//) *n* *rror **n*lin* *or URL p*rsin*, *n**lin* op*n r**ir**ts *n* *OS vi* m*l*orm** URLs. *. T** rout* **n*l*r *x**ut** **tR**ir**tUrl()

8.8

Basic Information

Concerned about an active attack path?

CVE-2021-22964: DOS and Open Redirect with user input

Impact

Patches

Workarounds

References

For more information

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI