← back
CVE-2023-25576

@fastify/multipart vulnerable to DoS due to unlimited number of parts

CVSS 7.5 HIGHEPSS 1.5%CWE-770
Vexday Risk Score
21Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 7.5EPSS 1.5%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
14 Feb 2023Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
@fastify/multipart is a Fastify plugin to parse the multipart content-type. Prior to versions 7.4.1 and 6.0.1, @fastify/multipart may experience denial of service due to a number of situations in which an unlimited number of parts are accepted. This includes the multipart body parser accepting an unlimited number of file parts, the multipart body parser accepting an unlimited number of field parts, and the multipart body parser accepting an unlimited number of empty parts as field parts. This is fixed in v7.4.1 (for Fastify v4.x) and v6.0.1 (for Fastify v3.x). There are no known workarounds.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected products
fastify · fastify-multipart

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/fastify/fastify-multipart/commit/85be81bedf5b29cfd9fe3efc30fb5a17173c1297https://github.com/fastify/fastify-multipart/releases/tag/v6.0.1https://github.com/fastify/fastify-multipart/releases/tag/v7.4.1https://github.com/fastify/fastify-multipart/security/advisories/GHSA-hpp2-2cr5-pf6ghttps://hackerone.com/reports/1816195