Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1ocHAyLTJjcjUtcGY2Z84AAxo9

Denial of service due to unlimited number of parts

Impact

Patches

This is fixed in v7.4.1 (for Fastify v4.x) and v6.0.1 (for Fastify v3.x).

Workarounds

There are no known workaround.

References

Reported at https://hackerone.com/reports/1816195.

Permalink: https://github.com/advisories/GHSA-hpp2-2cr5-pf6g
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ocHAyLTJjcjUtcGY2Z84AAxo9
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 year ago
Updated: about 1 year ago


CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Identifiers: GHSA-hpp2-2cr5-pf6g, CVE-2023-25576
References: Repository: https://github.com/fastify/fastify-multipart
Blast Radius: 21.2

Affected Packages

npm:@fastify/multipart
Dependent packages: 110
Dependent repositories: 677
Downloads: 512,779 last month
Affected Version Ranges: >= 7.0.0, < 7.4.1, < 6.0.1
Fixed in: 7.4.1, 6.0.1
All affected versions: 6.0.0, 7.0.0, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.4.0
All unaffected versions: 6.0.1, 7.4.1, 7.4.2, 7.5.0, 7.6.0, 7.6.1, 7.7.0, 7.7.1, 7.7.2, 7.7.3, 8.0.0, 8.1.0, 8.2.0