GHSA-hpp2-2cr5-pf6g

Suggest an improvement
Source
https://github.com/advisories/GHSA-hpp2-2cr5-pf6g
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-hpp2-2cr5-pf6g/GHSA-hpp2-2cr5-pf6g.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-hpp2-2cr5-pf6g
Aliases
Related
Published
2023-02-14T21:49:55Z
Modified
2023-11-08T04:11:52.480212Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Denial of service due to unlimited number of parts
Details

Impact

  • The multipart body parser accepts an unlimited number of file parts.
  • The multipart body parser accepts an unlimited number of field parts.
  • The multipart body parser accepts an unlimited number of empty parts as field parts.

Patches

This is fixed in v7.4.1 (for Fastify v4.x) and v6.0.1 (for Fastify v3.x).

Workarounds

There are no known workaround.

References

Reported at https://hackerone.com/reports/1816195.

Database specific
{
    "nvd_published_at": "2023-02-14T16:15:00Z",
    "github_reviewed_at": "2023-02-14T21:49:55Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-400",
        "CWE-770"
    ]
}
References

Affected packages

npm / @fastify/multipart

Package

Name
@fastify/multipart
View open source insights on deps.dev
Purl
pkg:npm/%40fastify/multipart

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.0.1

npm / @fastify/multipart

Package

Name
@fastify/multipart
View open source insights on deps.dev
Purl
pkg:npm/%40fastify/multipart

Affected ranges

Type
SEMVER
Events
Introduced
7.0.0
Fixed
7.4.1