GHSA-hpp2-2cr5-pf6g
Suggest an improvement- Source
- https://github.com/advisories/GHSA-hpp2-2cr5-pf6g
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-hpp2-2cr5-pf6g/GHSA-hpp2-2cr5-pf6g.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-hpp2-2cr5-pf6g
- Aliases
- Published
- 2023-02-14T21:49:55Z
- Modified
- 2023-11-08T04:11:52.480212Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Denial of service due to unlimited number of parts
- Details
-
Impact
- The multipart body parser accepts an unlimited number of file parts.
- The multipart body parser accepts an unlimited number of field parts.
- The multipart body parser accepts an unlimited number of empty parts as field parts.
Patches
This is fixed in v7.4.1 (for Fastify v4.x) and v6.0.1 (for Fastify v3.x).
Workarounds
There are no known workaround.
References
Reported at https://hackerone.com/reports/1816195.
- Database specific
{ "cwe_ids": [ "CWE-400", "CWE-770" ], "severity": "HIGH", "github_reviewed": true, "nvd_published_at": "2023-02-14T16:15:00Z", "github_reviewed_at": "2023-02-14T21:49:55Z" }- References
-
- https://github.com/fastify/fastify-multipart/security/advisories/GHSA-hpp2-2cr5-pf6g
- https://nvd.nist.gov/vuln/detail/CVE-2023-25576
- https://github.com/fastify/fastify-multipart/commit/85be81bedf5b29cfd9fe3efc30fb5a17173c1297
- https://hackerone.com/reports/1816195
- https://github.com/fastify/fastify-multipart
- https://github.com/fastify/fastify-multipart/releases/tag/v6.0.1
- https://github.com/fastify/fastify-multipart/releases/tag/v7.4.1
Affected packages
npm / @fastify/multipart
Package
- Name
- @fastify/multipart
- View open source insights on deps.dev
- Purl
- pkg:npm/%40fastify/multipart
npm / @fastify/multipart
Package
- Name
- @fastify/multipart
- View open source insights on deps.dev
- Purl
- pkg:npm/%40fastify/multipart