CVE-2021-22963 – fastify-static: open redirect via an URL with double slash followed by a domain

https://notcve.org/view.php?id=CVE-2021-22963

A redirect vulnerability in the fastify-static module version < 4.2.4 allows remote attackers to redirect users to arbitrary websites via a double slash // followed by a domain: http://localhost:3000//google.com/%2e%2e.The issue shows up on all the fastify-static applications that set redirect: true option. By default, it is false. Una vulnerabilidad de redirección en el módulo fastify-static versiones anteriores a 4.2.4, permite a atacantes remotos redirigir a usuarios a sitios web arbitrarios por medio de una doble barra // seguida de un dominio: http://localhost:3000//google.com/%2e%2e. El problema aparece en todas las aplicaciones fastify-static que establecen la opción redirect: true. Por defecto, es false • https://hackerone.com/reports/1354255 https://access.redhat.com/security/cve/CVE-2021-22963 https://bugzilla.redhat.com/show_bug.cgi?id=2015152 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •