GHSA-qh73-qc3p-rjv2

Source

https://github.com/advisories/GHSA-qh73-qc3p-rjv2

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-qh73-qc3p-rjv2/GHSA-qh73-qc3p-rjv2.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-qh73-qc3p-rjv2

Aliases

CVE-2021-23597

Published

2022-02-11T18:57:53Z

Modified

2025-01-14T09:12:06.596452Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Uncaught Exception in fastify-multipart

Details

Impact

This is a bypass of CVE-2020-8136 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8136). By providing a name=constructor property it is still possible to crash the application. The original fix only checks for the key __proto__ (https://github.com/fastify/fastify-multipart/pull/116).

All users are recommended to upgrade

Patches

v5.3.1 includes a patch

Workarounds

No workarounds are possible.

References

Read up https://www.fastify.io/docs/latest/Guides/Prototype-Poisoning/

For more information

If you have any questions or comments about this advisory: * Open an issue in https://github.com/fastify/fastify-multipart * Email us at hello@matteocollina.com

Database specific

{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-400"
    ],
    "github_reviewed_at": "2022-02-11T18:57:53Z",
    "nvd_published_at": "2022-02-11T17:15:00Z",
    "severity": "HIGH"
}

References

Affected packages

npm / fastify-multipart

Package

Name: fastify-multipart; View open source insights on deps.dev
Purl: pkg:npm/fastify-multipart

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.3.1