GHSA-27c6-mcxv-x3fh

Suggest an improvement
Source
https://github.com/advisories/GHSA-27c6-mcxv-x3fh
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-27c6-mcxv-x3fh/GHSA-27c6-mcxv-x3fh.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-27c6-mcxv-x3fh
Aliases
  • CVE-2025-24033
Published
2025-01-23T18:02:07Z
Modified
2025-01-23T23:17:17Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Unlimited consumption of resources in @fastify/multipart
Details

Impact

The saveRequestFiles function does not delete the uploaded temporary files when user cancels the request.

Patches

Fixed in version 8.3.1 and 9.0.3

Workarounds

Do not use saveRequestFiles.

References

This was identified in https://github.com/fastify/fastify-multipart/issues/546 and fixed in https://github.com/fastify/fastify-multipart/pull/567.

Database specific 
{
    "nvd_published_at": "2025-01-23T18:15:33Z",
    "github_reviewed_at": "2025-01-23T18:02:07Z",
    "github_reviewed": true,
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-770"
    ]
}
References

Affected packages

npm / @fastify/multipart

Package

Name
@fastify/multipart
View open source insights on deps.dev
Purl
pkg:npm/%40fastify/multipart

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.3.1

Database specific 

{
    "last_known_affected_version_range": "<= 8.3.0"
}

npm / @fastify/multipart

Package

Name
@fastify/multipart
View open source insights on deps.dev
Purl
pkg:npm/%40fastify/multipart

Affected ranges

Type
SEMVER
Events
Introduced
9.0.0
Fixed
9.0.3