CVE-2023-25576
HIGH7.5EPSS 0.60%Denial of service due to unlimited number of parts
發布日:2023/2/14修改日:2023/11/8
描述
### Impact * The multipart body parser accepts an unlimited number of file parts. * The multipart body parser accepts an unlimited number of field parts. * The multipart body parser accepts an unlimited number of empty parts as field parts. ### Patches This is fixed in v7.4.1 (for Fastify v4.x) and v6.0.1 (for Fastify v3.x). ### Workarounds There are no known workaround. ### References Reported at https://hackerone.com/reports/1816195.
受影響套件(1)
- npm/@fastify/multipartfrom 0, < 6.0.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
參考連結(7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-25576
- PATCHhttps://github.com/fastify/fastify-multipart
- WEBhttps://github.com/fastify/fastify-multipart/commit/85be81bedf5b29cfd9fe3efc30fb5a17173c1297
- WEBhttps://github.com/fastify/fastify-multipart/releases/tag/v6.0.1
- WEBhttps://github.com/fastify/fastify-multipart/releases/tag/v7.4.1
- WEBhttps://github.com/fastify/fastify-multipart/security/advisories/GHSA-hpp2-2cr5-pf6g
- WEBhttps://hackerone.com/reports/1816195