GHSA-455w-c45v-86rg
Suggest an improvement- Source
- https://github.com/advisories/GHSA-455w-c45v-86rg
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-455w-c45v-86rg/GHSA-455w-c45v-86rg.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-455w-c45v-86rg
- Aliases
- Published
- 2022-10-11T13:45:14Z
- Modified
- 2023-11-08T04:10:17.835364Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- fastify vulnerable to denial of service via malicious Content-Type
- Details
-
Impact
An attacker can send an invalid
Content-Typeheader that can cause the application to crash, leading to a possible Denial of Service attack. Only the v4.x line is affected.(This was updated: upon a close inspection, v3.x is not affected after all).
Patches
Yes, update to
> v4.8.0.Workarounds
You can reject the malicious content types before the body parser enters in action.
const badNames = Object.getOwnPropertyNames({}.__proto__) fastify.addHook('onRequest', async (req, reply) => { for (const badName of badNames) { if (req.headers['content-type'].indexOf(badName) > -1) { reply.code(415) throw new Error('Content type not supported') } } })References
See the HackerOne report #1715536
For more information
- Database specific
{ "cwe_ids": [ "CWE-754" ], "severity": "HIGH", "nvd_published_at": "2022-10-10T21:15:00Z", "github_reviewed_at": "2022-10-11T13:45:14Z", "github_reviewed": true }- References
-
- https://github.com/fastify/fastify/security/advisories/GHSA-455w-c45v-86rg
- https://nvd.nist.gov/vuln/detail/CVE-2022-39288
- https://github.com/fastify/fastify/commit/fbb07e8dfad74c69cd4cd2211aedab87194618e3
- https://github.com/fastify/fastify
- https://github.com/fastify/fastify/security/policy
- https://hackerone.com/bugs?report_id=1715536&subject=fastify
Affected packages
npm / fastify
Package
- Name
- fastify
- View open source insights on deps.dev
- Purl
- pkg:npm/fastify