Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1ocHAyLTJjcjUtcGY2Z84AAxo9
Denial of service due to unlimited number of parts
Impact
- The multipart body parser accepts an unlimited number of file parts.
- The multipart body parser accepts an unlimited number of field parts.
- The multipart body parser accepts an unlimited number of empty parts as field
parts.
Patches
This is fixed in v7.4.1 (for Fastify v4.x) and v6.0.1 (for Fastify v3.x).
Workarounds
There are no known workaround.
References
Reported at https://hackerone.com/reports/1816195.
Permalink: https://github.com/advisories/GHSA-hpp2-2cr5-pf6gJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ocHAyLTJjcjUtcGY2Z84AAxo9
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 year ago
Updated: about 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-hpp2-2cr5-pf6g, CVE-2023-25576
References:
- https://github.com/fastify/fastify-multipart/security/advisories/GHSA-hpp2-2cr5-pf6g
- https://nvd.nist.gov/vuln/detail/CVE-2023-25576
- https://github.com/fastify/fastify-multipart/commit/85be81bedf5b29cfd9fe3efc30fb5a17173c1297
- https://hackerone.com/reports/1816195
- https://github.com/fastify/fastify-multipart/releases/tag/v6.0.1
- https://github.com/fastify/fastify-multipart/releases/tag/v7.4.1
- https://github.com/advisories/GHSA-hpp2-2cr5-pf6g
Blast Radius: 21.2
Affected Packages
npm:@fastify/multipart
Dependent packages: 110Dependent repositories: 677
Downloads: 527,192 last month
Affected Version Ranges: >= 7.0.0, < 7.4.1, < 6.0.1
Fixed in: 7.4.1, 6.0.1
All affected versions: 6.0.0, 7.0.0, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.4.0
All unaffected versions: 6.0.1, 7.4.1, 7.4.2, 7.5.0, 7.6.0, 7.6.1, 7.7.0, 7.7.1, 7.7.2, 7.7.3, 8.0.0, 8.1.0, 8.2.0