What is CVE-2024-22207?

CVE-2024-22207 is a medium-severity vulnerability in Fastify Fastify-swagger-ui, classified under Initialization of a Resource with an Insecure Default. CVSS score: 5.3/10. Published 2024-01-15.

How severe is CVE-2024-22207?

Medium severity. CVSS v3 base score is 5.3 out of 10.

Is CVE-2024-22207 known to be exploited?

2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

RCE in Fastify Fastify-swagger-ui

CVE-2024-22207

fastify-swagger-ui is a Fastify plugin for serving Swagger UI. Prior to 2.1.0, the default configuration of `@fastify/swagger-ui` without `baseDir` set will lead to all files in the module's directory being exposed via http routes served…

EPSS: 0.020 (78.2th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.

Affected products

Fastify Fastify-swagger-ui — versions < 2.1.0
Smartbear Swagger_ui

Weakness classification (CWE)

CWE-1188 — Initialization of a Resource with an Insecure Default

Public proof-of-concept exploits

References

security-advisories@github.com (x_refsource_CONFIRM, Vendor Advisory)
security-advisories@github.com (Patch, x_refsource_MISC)
security-advisories@github.com

Frequently asked questions

What is CVE-2024-22207?: CVE-2024-22207 is a medium-severity vulnerability in Fastify Fastify-swagger-ui, classified under Initialization of a Resource with an Insecure Default. CVSS score: 5.3/10. Published 2024-01-15.
How severe is CVE-2024-22207?: Medium severity. CVSS v3 base score is 5.3 out of 10.
Is CVE-2024-22207 known to be exploited?: 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.