CVE-2023-25576

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-25576

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-25576.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-25576

Aliases

GHSA-hpp2-2cr5-pf6g

Published

2023-02-14T15:04:11.119Z

Modified

2025-12-04T23:41:25.823815Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

@fastify/multipart vulnerable to DoS due to unlimited number of parts

Details

@fastify/multipart is a Fastify plugin to parse the multipart content-type. Prior to versions 7.4.1 and 6.0.1, @fastify/multipart may experience denial of service due to a number of situations in which an unlimited number of parts are accepted. This includes the multipart body parser accepting an unlimited number of file parts, the multipart body parser accepting an unlimited number of field parts, and the multipart body parser accepting an unlimited number of empty parts as field parts. This is fixed in v7.4.1 (for Fastify v4.x) and v6.0.1 (for Fastify v3.x). There are no known workarounds.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/25xxx/CVE-2023-25576.json",
    "cwe_ids": [
        "CWE-770"
    ]
}

References

Affected packages

Git / github.com/fastify/fastify-multipart

Affected ranges

Type

GIT

Repo

https://github.com/fastify/fastify-multipart

Events

Introduced

Fixed

9bf769978962164c08bb6bc69434b3dc2080822e

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "6.0.1"
        }
    ]
}

Type

GIT

Repo

https://github.com/fastify/fastify-multipart

Events

Introduced

5722827c28e9f37477e8172260ceb092a3892bf9

Fixed

1749638100d367600d08497abb2d22f96dff09fa

Database specific

{
    "versions": [
        {
            "introduced": "7.0.0"
        },
        {
            "fixed": "7.4.1"
        }
    ]
}

Affected versions

4.*

4.0.7

5.*

5.2.0

v0.*

v0.1.0

v0.2.0

v0.3.0

v0.4.0

v0.4.1

v0.5.0

v0.5.1

v0.6.0

v0.7.0

v0.8.0

v0.8.1

v0.8.2

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.0.3

v1.0.4

v1.0.5

v1.0.6

v2.*

v2.0.0

v2.0.1

v2.0.2

v2.0.3

v3.*

v3.0.0

v3.1.0

v3.2.0

v3.2.1

v3.3.0

v3.3.1

v4.*

v4.0.0

v4.0.1

v4.0.2

v4.0.3

v4.0.4

v4.0.5

v4.0.6

v5.*

v5.0.0

v5.0.1

v5.0.2

v5.1.0

v5.2.1

v5.3.0

v5.3.1

v6.*

v6.0.0

v7.*

v7.0.0

v7.1.0

v7.1.1

v7.1.2

v7.2.0

v7.3.0

v7.4.0