CVE-2024-22207: Insecure Default Initialization of Resource

January 16, 2024

fastify-swagger-ui is a Fastify plugin for serving Swagger UI. Prior to 2.1.0, the default configuration of @fastify/swagger-ui without baseDir set will lead to all files in the module’s directory being exposed via http routes served by the module. The vulnerability is fixed in v2.1.0. Setting the baseDir option can also work around this vulnerability.

References

github.com/advisories/GHSA-62jr-84gf-wmg4
github.com/fastify/fastify-swagger-ui/commit/13d799a2c5f14d3dd5b15892e03bbcbae63ee6f7
github.com/fastify/fastify-swagger-ui/security/advisories/GHSA-62jr-84gf-wmg4
nvd.nist.gov/vuln/detail/CVE-2024-22207

Code Behaviors & Features

Detect and mitigate CVE-2024-22207 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →