Skip to content

DoS due to unlimited number of parts

High
mcollina published GHSA-hpp2-2cr5-pf6g Feb 14, 2023

Package

npm @fastify/multipart (npm)

Affected versions

<= 6.0.0; 7.0.0 <= 7.4.0

Patched versions

>= 6.0.1 < 7.0.0; >= 7.4.1

Description

Impact

  • The multipart body parser accepts an unlimited number of file parts.
  • The multipart body parser accepts an unlimited number of field parts.
  • The multipart body parser accepts an unlimited number of empty parts as field
    parts.

Patches

This is fixed in v7.4.1 (for Fastify v4.x) and v6.0.1 (for Fastify v3.x).

Workarounds

There are no known workaround.

References

Reported at https://hackerone.com/reports/1816195.

Severity

High
7.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE ID

CVE-2023-25576

Weaknesses

Credits