Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1xaDczLXFjM3Atcmp2Ms0rDA

Uncaught Exception in fastify-multipart

Impact

This is a bypass of CVE-2020-8136 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8136).
By providing a name=constructor property it is still possible to crash the application.
The original fix only checks for the key __proto__ (https://github.com/fastify/fastify-multipart/pull/116).

All users are recommended to upgrade

Patches

v5.3.1 includes a patch

Workarounds

No workarounds are possible.

References

Read up https://www.fastify.io/docs/latest/Guides/Prototype-Poisoning/

For more information

If you have any questions or comments about this advisory:

• Open an issue in https://github.com/fastify/fastify-multipart
• Email us at [email protected]

Permalink: https://github.com/advisories/GHSA-qh73-qc3p-rjv2
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xaDczLXFjM3Atcmp2Ms0rDA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: over 1 year ago

CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Identifiers: GHSA-qh73-qc3p-rjv2, CVE-2021-23597
References:

• https://github.com/fastify/fastify-multipart/security/advisories/GHSA-qh73-qc3p-rjv2
• https://github.com/fastify/fastify-multipart/pull/116
• https://github.com/fastify/fastify-multipart/commit/a70dc7059a794589bd4fe066453141fc609e6066
• https://github.com/fastify/fastify-multipart/releases/tag/v5.3.1
• https://snyk.io/vuln/SNYK-JS-FASTIFYMULTIPART-2395480
• https://www.fastify.io/docs/latest/Guides/Prototype-Poisoning/
• https://nvd.nist.gov/vuln/detail/CVE-2021-23597
• https://github.com/advisories/GHSA-qh73-qc3p-rjv2

Repository: https://github.com/fastify/fastify-multipart
Blast Radius: 20.9

Affected Packages