CVE-2021-22963
fastify-static: open redirect via an URL with double slash followed by a domain
Severity Score
6.1
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
A redirect vulnerability in the fastify-static module version < 4.2.4 allows remote attackers to redirect users to arbitrary websites via a double slash // followed by a domain: http://localhost:3000//google.com/%2e%2e.The issue shows up on all the fastify-static applications that set redirect: true option. By default, it is false.
Una vulnerabilidad de redirección en el módulo fastify-static versiones anteriores a 4.2.4, permite a atacantes remotos redirigir a usuarios a sitios web arbitrarios por medio de una doble barra // seguida de un dominio: http://localhost:3000//google.com/%2e%2e. El problema aparece en todas las aplicaciones fastify-static que establecen la opción redirect: true. Por defecto, es false
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2021-01-06 CVE Reserved
- 2021-10-14 CVE Published
- 2024-08-03 CVE Updated
- 2024-08-03 First Exploit
- 2024-10-17 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
CAPEC
References (3)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://hackerone.com/reports/1354255 | 2024-08-03 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2021-22963 | 2022-03-03 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2015152 | 2022-03-03 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Fastify Search vendor "Fastify" | Fastify-static Search vendor "Fastify" for product "Fastify-static" | < 4.2.4 Search vendor "Fastify" for product "Fastify-static" and version " < 4.2.4" | - |
Affected
| ||||||