CVE-2024-22207: 
JavaScript vulnerability analysis and mitigation

CVE-2024-22207 affects fastify-swagger-ui, a Fastify plugin for serving Swagger UI. The vulnerability was discovered and disclosed on January 15, 2024, affecting versions 2.0.0 to 2.1.0 of the @fastify/swagger-ui package (NVD, GitHub Advisory).

The vulnerability stems from the default configuration of @fastify/swagger-ui when the baseDir option is not set. This configuration flaw allows all files in the module's directory to be exposed via HTTP routes served by the module. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network accessibility with low attack complexity and no required privileges or user interaction (GitHub Advisory).

Successful exploitation of this vulnerability could lead to the disclosure of sensitive information. The vulnerability allows unauthorized access to all files within the module's directory through HTTP routes, potentially exposing sensitive configuration files or internal documentation (GitHub Advisory, NetApp Advisory).

The vulnerability has been fixed in version 2.1.0 of @fastify/swagger-ui. For users unable to update immediately, a workaround is available by setting the baseDir option in the configuration. This effectively restricts file access to the specified directory (GitHub Advisory).