CVE-2021-23597
HIGH7.5EPSS 0.40%Uncaught Exception in fastify-multipart
Description
### Impact This is a bypass of CVE-2020-8136 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8136). By providing a `name=constructor` property it is still possible to crash the application. The original fix only checks for the key `__proto__` (https://github.com/fastify/fastify-multipart/pull/116). All users are recommended to upgrade ### Patches v5.3.1 includes a patch ### Workarounds No workarounds are possible. ### References Read up https://www.fastify.io/docs/latest/Guides/Prototype-Poisoning/ ### For more information If you have any questions or comments about this advisory: * Open an issue in [https://github.com/fastify/fastify-multipart](https://github.com/fastify/fastify-multipart) * Email us at [[email protected]](mailto:[email protected])
Affected packages (1)
- npm/fastify-multipartfrom 0, < 5.3.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References (8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-23597
- WEBhttps://github.com/fastify/fastify-multipart
- WEBhttps://github.com/fastify/fastify-multipart/commit/a70dc7059a794589bd4fe066453141fc609e6066
- WEBhttps://github.com/fastify/fastify-multipart/pull/116
- WEBhttps://github.com/fastify/fastify-multipart/releases/tag/v5.3.1
- WEBhttps://github.com/fastify/fastify-multipart/security/advisories/GHSA-qh73-qc3p-rjv2
- WEBhttps://snyk.io/vuln/SNYK-JS-FASTIFYMULTIPART-2395480
- WEBhttps://www.fastify.io/docs/latest/Guides/Prototype-Poisoning