CVE-2024-22207

fastify-swagger-ui is a Fastify plugin for serving Swagger UI. Prior to 2.1.0, the default configuration of @fastify/swagger-ui without baseDir set will lead to all files in the module's directory being exposed via http routes served by the module. The vulnerability is fixed in v2.1.0. Setting the baseDir option can also work around this vulnerability.

Published: Jan 15, 2024
Updated: May 4, 2025
CVE: CVE-2024-22207
GHSA: GHSA-62jr-84gf-wmg4
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.3
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWEs:

CWE-1188

Affected Software
References

Software	From	Fixed in
@fastify / swagger-ui	2.0.0	2.1.0
smartbear / swagger_ui	2.0.0	2.1.0

https://github.com/fastify/fastify-swagger-ui/commit/13d799a2c5f14d3dd5b15892e03bbcbae63ee6f7
https://github.com/fastify/fastify-swagger-ui/security/advisories/GHSA-62jr-84gf-wmg4
https://security.netapp.com/advisory/ntap-20240216-0002
https://security.netapp.com/advisory/ntap-20240216-0002/

Vulnerability Database

289,697

CVE-2024-22207