CVE-2023-25576

CVSS V2 None CVSS V3 None

Description

@fastify/multipart is a Fastify plugin to parse the multipart content-type. Prior to versions 7.4.1 and 6.0.1, @fastify/multipart may experience denial of service due to a number of situations in which an unlimited number of parts are accepted. This includes the multipart body parser accepting an unlimited number of file parts, the multipart body parser accepting an unlimited number of field parts, and the multipart body parser accepting an unlimited number of empty parts as field parts. This is fixed in v7.4.1 (for Fastify v4.x) and v6.0.1 (for Fastify v3.x). There are no known workarounds.

Overview

CVE ID
CVE-2023-25576

Assigner
security-advisories@github.com

Vulnerability Status
Analyzed

Published Version
2023-02-14T16:15:11

Last Modified Date
2023-02-22T17:12:10

Weakness Enumerations

CWE	URL
CWE-770	http://cwe.mitre.org/data/definitions/770.html
CWE-770	http://cwe.mitre.org/data/definitions/770.html

CPE Configuration (Product)

CPE	Vulnerable	Operator	Version Start	Version End
cpe:2.3:a:fastify:fastify-multipart::::::fastify::*	1	OR		6.0.1
cpe:2.3:a:fastify:fastify-multipart::::::fastify::*	1	OR	7.0.0	7.4.1

References

Reference URL	Reference Tags
https://github.com/fastify/fastify-multipart/commit/85be81bedf5b29cfd9fe3efc30fb5a17173c1297	Patch Third Party Advisory
https://github.com/fastify/fastify-multipart/releases/tag/v6.0.1	Release Notes Third Party Advisory
https://github.com/fastify/fastify-multipart/releases/tag/v7.4.1	Release Notes Third Party Advisory
https://github.com/fastify/fastify-multipart/security/advisories/GHSA-hpp2-2cr5-pf6g	Third Party Advisory
https://hackerone.com/reports/1816195	Permissions Required Third Party Advisory

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2023-25576
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25576

History

Created	Old Value	New Value	Data Type	Notes
2023-04-17 07:42:58				Added to TrackCVE
2023-04-17 07:43:00			Weakness Enumeration	new