@hapi/inert has a static-file confinement bypass via sibling-prefix path
- When
- Where
- Global (internet)
- Category
- cyber_advisory · npm
### Impact `@hapi/inert` serves static files from a directory configured with `path` (in the `directory` / `file` handlers) or `relativeTo` (for `h.file()`), with confinement enforced by the `confine` option (default `true`). Before the patch, the confinement check compared the resolved absolute path against the confine directory using a raw string-prefix test, so a sibling directory whose absolute path begins with the same characters as the confine directory (eg. `/app/static-secret` next to a served `/app/static`) was incorrectly accepted as confined. An unauthenticated remote attacker who knows or guesses such a sibling name can read any file inside it via a request like `/..%2fstatic-secret/secret.txt`, provided the file is readable by the server process. Only applications that happen to have a sibling directory sharing a string prefix with the served directory are exploitable; applications with no such sibling are unaffected. ### Patches Upgrade to 7.1.1. ### Workarounds For users who cannot upgrade immediately: ensure the directory served via inert has no sibling whose name starts with the same characters (for example, rename `static-secret/` to `secret/`, or move it to a different parent directory). ### Resources Pull Request: https://github.com/hapijs/inert/pull/176
Sources
- GitHub Advisory Database ↗ · first seen 2026-06-11 17:10 UTC
Defaxon links out to the original reporting and never republishes article text.
Correlated events
Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.
No correlated events found in the current window. As more events arrive, connections form automatically.