CVE-2023-25576
HIGH7.5EPSS 0.60%Denial of service due to unlimited number of parts
Published: 2/14/2023Modified: 11/8/2023
Also known as:GHSA-hpp2-2cr5-pf6g
Description
### Impact * The multipart body parser accepts an unlimited number of file parts. * The multipart body parser accepts an unlimited number of field parts. * The multipart body parser accepts an unlimited number of empty parts as field parts. ### Patches This is fixed in v7.4.1 (for Fastify v4.x) and v6.0.1 (for Fastify v3.x). ### Workarounds There are no known workaround. ### References Reported at https://hackerone.com/reports/1816195.
Affected packages (1)
- npm/@fastify/multipartfrom 0, < 6.0.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References (7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-25576
- PATCHhttps://github.com/fastify/fastify-multipart
- WEBhttps://github.com/fastify/fastify-multipart/commit/85be81bedf5b29cfd9fe3efc30fb5a17173c1297
- WEBhttps://github.com/fastify/fastify-multipart/releases/tag/v6.0.1
- WEBhttps://github.com/fastify/fastify-multipart/releases/tag/v7.4.1
- WEBhttps://github.com/fastify/fastify-multipart/security/advisories/GHSA-hpp2-2cr5-pf6g
- WEBhttps://hackerone.com/reports/1816195