CVE Vulnerability

CVE-2023-25576

@fastify/multipart is a Fastify plugin to parse the multipart content-type. Prior to versions 7.4.1 and 6.0.1, @fastify/multipart may experience denial of service due to a number of situations in which an unlimited number of parts are accepted. This includes the multipart body parser accepting an unlimited number of file parts, the multipart body parser accepting an unlimited number of field parts, and the multipart body parser accepting an unlimited number of empty parts as field parts. This is fixed in v7.4.1 (for Fastify v4.x) and v6.0.1 (for Fastify v3.x). There are no known workarounds.

7.5 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/fastify/fastify-multipart/releases/tag/v6.0.1 Release Notes Third Party Advisory
https://github.com/fastify/fastify-multipart/releases/tag/v7.4.1 Release Notes Third Party Advisory
https://github.com/fastify/fastify-multipart/security/advisories/GHSA-hpp2-2cr5-pf6g Third Party Advisory
https://github.com/fastify/fastify-multipart/commit/85be81bedf5b29cfd9fe3efc30fb5a17173c1297 Patch Third Party Advisory
https://hackerone.com/reports/1816195 Permissions Required Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:fastify:fastify-multipart:*:*:*:*:*:fastify:*:*
cpe:2.3:a:fastify:fastify-multipart:*:*:*:*:*:fastify:*:*
Information

Published : 2023-02-14 04:15

Updated : 2023-02-22 05:12

NVD link : CVE-2023-25576

Mitre link : CVE-2023-25576

Products Affected
No products.
CWE
No CWE.