Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
8 vulnerabilities found for fastify-multipart by fastify
CVE-2025-24033 (GCVE-0-2025-24033)
Vulnerability from cvelistv5 – Published: 2025-01-23 17:40 – Updated: 2025-02-12 20:41
VLAI
Title
@fastify/multipart vulnerable to unlimited consumption of resources
Summary
@fastify/multipart is a Fastify plugin for parsing the multipart content-type. Prior to versions 8.3.1 and 9.0.3, the `saveRequestFiles` function does not delete the uploaded temporary files when user cancels the request. The issue is fixed in versions 8.3.1 and 9.0.3. As a workaround, do not use `saveRequestFiles`.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/fastify/fastify-multipart/secu… | x_refsource_CONFIRM |
| https://github.com/fastify/fastify-multipart/issues/546 | x_refsource_MISC |
| https://github.com/fastify/fastify-multipart/pull/567 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| fastify | fastify-multipart |
Affected:
< 8.3.1
Affected: >= 9.0.0, < 9.0.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24033",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-23T18:54:50.184882Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T20:41:29.689Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fastify-multipart",
"vendor": "fastify",
"versions": [
{
"status": "affected",
"version": "\u003c 8.3.1"
},
{
"status": "affected",
"version": "\u003e= 9.0.0, \u003c 9.0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "@fastify/multipart is a Fastify plugin for parsing the multipart content-type. Prior to versions 8.3.1 and 9.0.3, the `saveRequestFiles` function does not delete the uploaded temporary files when user cancels the request. The issue is fixed in versions 8.3.1 and 9.0.3. As a workaround, do not use `saveRequestFiles`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-23T17:40:56.228Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/fastify/fastify-multipart/security/advisories/GHSA-27c6-mcxv-x3fh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fastify/fastify-multipart/security/advisories/GHSA-27c6-mcxv-x3fh"
},
{
"name": "https://github.com/fastify/fastify-multipart/issues/546",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fastify/fastify-multipart/issues/546"
},
{
"name": "https://github.com/fastify/fastify-multipart/pull/567",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fastify/fastify-multipart/pull/567"
}
],
"source": {
"advisory": "GHSA-27c6-mcxv-x3fh",
"discovery": "UNKNOWN"
},
"title": "@fastify/multipart vulnerable to unlimited consumption of resources"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-24033",
"datePublished": "2025-01-23T17:40:56.228Z",
"dateReserved": "2025-01-16T17:31:06.460Z",
"dateUpdated": "2025-02-12T20:41:29.689Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-25576 (GCVE-0-2023-25576)
Vulnerability from cvelistv5 – Published: 2023-02-14 15:04 – Updated: 2025-03-10 21:12
VLAI
Title
@fastify/multipart vulnerable to DoS due to unlimited number of parts
Summary
@fastify/multipart is a Fastify plugin to parse the multipart content-type. Prior to versions 7.4.1 and 6.0.1, @fastify/multipart may experience denial of service due to a number of situations in which an unlimited number of parts are accepted. This includes the multipart body parser accepting an unlimited number of file parts, the multipart body parser accepting an unlimited number of field parts, and the multipart body parser accepting an unlimited number of empty parts as field parts. This is fixed in v7.4.1 (for Fastify v4.x) and v6.0.1 (for Fastify v3.x). There are no known workarounds.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/fastify/fastify-multipart/secu… | x_refsource_CONFIRM |
| https://github.com/fastify/fastify-multipart/comm… | x_refsource_MISC |
| https://hackerone.com/reports/1816195 | x_refsource_MISC |
| https://github.com/fastify/fastify-multipart/rele… | x_refsource_MISC |
| https://github.com/fastify/fastify-multipart/rele… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| fastify | fastify-multipart |
Affected:
< 6.0.1
Affected: >= 7.0.0, < 7.4.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:25:19.195Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/fastify/fastify-multipart/security/advisories/GHSA-hpp2-2cr5-pf6g",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/fastify/fastify-multipart/security/advisories/GHSA-hpp2-2cr5-pf6g"
},
{
"name": "https://github.com/fastify/fastify-multipart/commit/85be81bedf5b29cfd9fe3efc30fb5a17173c1297",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/fastify/fastify-multipart/commit/85be81bedf5b29cfd9fe3efc30fb5a17173c1297"
},
{
"name": "https://hackerone.com/reports/1816195",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/1816195"
},
{
"name": "https://github.com/fastify/fastify-multipart/releases/tag/v6.0.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/fastify/fastify-multipart/releases/tag/v6.0.1"
},
{
"name": "https://github.com/fastify/fastify-multipart/releases/tag/v7.4.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/fastify/fastify-multipart/releases/tag/v7.4.1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25576",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T20:58:50.709269Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:12:19.777Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fastify-multipart",
"vendor": "fastify",
"versions": [
{
"status": "affected",
"version": "\u003c 6.0.1"
},
{
"status": "affected",
"version": "\u003e= 7.0.0, \u003c 7.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "@fastify/multipart is a Fastify plugin to parse the multipart content-type. Prior to versions 7.4.1 and 6.0.1, @fastify/multipart may experience denial of service due to a number of situations in which an unlimited number of parts are accepted. This includes the multipart body parser accepting an unlimited number of file parts, the multipart body parser accepting an unlimited number of field parts, and the multipart body parser accepting an unlimited number of empty parts as field parts. This is fixed in v7.4.1 (for Fastify v4.x) and v6.0.1 (for Fastify v3.x). There are no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-14T15:04:11.119Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/fastify/fastify-multipart/security/advisories/GHSA-hpp2-2cr5-pf6g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fastify/fastify-multipart/security/advisories/GHSA-hpp2-2cr5-pf6g"
},
{
"name": "https://github.com/fastify/fastify-multipart/commit/85be81bedf5b29cfd9fe3efc30fb5a17173c1297",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fastify/fastify-multipart/commit/85be81bedf5b29cfd9fe3efc30fb5a17173c1297"
},
{
"name": "https://hackerone.com/reports/1816195",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/1816195"
},
{
"name": "https://github.com/fastify/fastify-multipart/releases/tag/v6.0.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fastify/fastify-multipart/releases/tag/v6.0.1"
},
{
"name": "https://github.com/fastify/fastify-multipart/releases/tag/v7.4.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fastify/fastify-multipart/releases/tag/v7.4.1"
}
],
"source": {
"advisory": "GHSA-hpp2-2cr5-pf6g",
"discovery": "UNKNOWN"
},
"title": "@fastify/multipart vulnerable to DoS due to unlimited number of parts"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-25576",
"datePublished": "2023-02-14T15:04:11.119Z",
"dateReserved": "2023-02-07T17:10:00.742Z",
"dateUpdated": "2025-03-10T21:12:19.777Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-23597 (GCVE-0-2021-23597)
Vulnerability from cvelistv5 – Published: 2022-02-11 17:05 – Updated: 2024-09-16 16:58
VLAI
Title
Denial of Service (DoS)
Summary
This affects the package fastify-multipart before 5.3.1. By providing a name=constructor property it is still possible to crash the application. **Note:** This is a bypass of CVE-2020-8136 (https://security.snyk.io/vuln/SNYK-JS-FASTIFYMULTIPART-1290382).
Severity
CWE
- Denial of Service (DoS)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://snyk.io/vuln/SNYK-JS-FASTIFYMULTIPART-2395480 | x_refsource_MISC |
| https://github.com/fastify/fastify-multipart/comm… | x_refsource_MISC |
| https://github.com/fastify/fastify-multipart/rele… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | fastify-multipart |
Affected:
unspecified , < 5.3.1
(custom)
|
Date Public
2022-02-11 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:14:09.056Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-FASTIFYMULTIPART-2395480"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/fastify/fastify-multipart/commit/a70dc7059a794589bd4fe066453141fc609e6066"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/fastify/fastify-multipart/releases/tag/v5.3.1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "fastify-multipart",
"vendor": "n/a",
"versions": [
{
"lessThan": "5.3.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Alessio Della Libera of Snyk Research Team"
}
],
"datePublic": "2022-02-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "This affects the package fastify-multipart before 5.3.1. By providing a name=constructor property it is still possible to crash the application. **Note:** This is a bypass of CVE-2020-8136 (https://security.snyk.io/vuln/SNYK-JS-FASTIFYMULTIPART-1290382)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"exploitCodeMaturity": "PROOF_OF_CONCEPT",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "UNCHANGED",
"temporalScore": 7.1,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial of Service (DoS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-11T17:05:13.000Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JS-FASTIFYMULTIPART-2395480"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fastify/fastify-multipart/commit/a70dc7059a794589bd4fe066453141fc609e6066"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fastify/fastify-multipart/releases/tag/v5.3.1"
}
],
"title": "Denial of Service (DoS)",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"DATE_PUBLIC": "2022-02-11T17:03:49.326660Z",
"ID": "CVE-2021-23597",
"STATE": "PUBLIC",
"TITLE": "Denial of Service (DoS)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "fastify-multipart",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "5.3.1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Alessio Della Libera of Snyk Research Team"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "This affects the package fastify-multipart before 5.3.1. By providing a name=constructor property it is still possible to crash the application. **Note:** This is a bypass of CVE-2020-8136 (https://security.snyk.io/vuln/SNYK-JS-FASTIFYMULTIPART-1290382)."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service (DoS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://snyk.io/vuln/SNYK-JS-FASTIFYMULTIPART-2395480",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JS-FASTIFYMULTIPART-2395480"
},
{
"name": "https://github.com/fastify/fastify-multipart/commit/a70dc7059a794589bd4fe066453141fc609e6066",
"refsource": "MISC",
"url": "https://github.com/fastify/fastify-multipart/commit/a70dc7059a794589bd4fe066453141fc609e6066"
},
{
"name": "https://github.com/fastify/fastify-multipart/releases/tag/v5.3.1",
"refsource": "MISC",
"url": "https://github.com/fastify/fastify-multipart/releases/tag/v5.3.1"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2021-23597",
"datePublished": "2022-02-11T17:05:13.098Z",
"dateReserved": "2021-01-08T00:00:00.000Z",
"dateUpdated": "2024-09-16T16:58:20.158Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8136 (GCVE-0-2020-8136)
Vulnerability from cvelistv5 – Published: 2020-03-20 18:26 – Updated: 2024-08-04 09:48
VLAI
Summary
Prototype pollution vulnerability in fastify-multipart < 1.0.5 allows an attacker to crash fastify applications parsing multipart requests by sending a specially crafted request.
Severity
No CVSS data available.
CWE
- CWE-400 - Denial of Service (CWE-400)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://hackerone.com/reports/804772 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | fastify-multipart |
Affected:
Fixed version: 1.0.5
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:48:25.935Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/804772"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "fastify-multipart",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed version: 1.0.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Prototype pollution vulnerability in fastify-multipart \u003c 1.0.5 allows an attacker to crash fastify applications parsing multipart requests by sending a specially crafted request."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Denial of Service (CWE-400)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-20T18:26:21.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/804772"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2020-8136",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "fastify-multipart",
"version": {
"version_data": [
{
"version_value": "Fixed version: 1.0.5"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Prototype pollution vulnerability in fastify-multipart \u003c 1.0.5 allows an attacker to crash fastify applications parsing multipart requests by sending a specially crafted request."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service (CWE-400)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/804772",
"refsource": "MISC",
"url": "https://hackerone.com/reports/804772"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2020-8136",
"datePublished": "2020-03-20T18:26:21.000Z",
"dateReserved": "2020-01-28T00:00:00.000Z",
"dateUpdated": "2024-08-04T09:48:25.935Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-24033 (GCVE-0-2025-24033)
Vulnerability from nvd – Published: 2025-01-23 17:40 – Updated: 2025-02-12 20:41
VLAI
Title
@fastify/multipart vulnerable to unlimited consumption of resources
Summary
@fastify/multipart is a Fastify plugin for parsing the multipart content-type. Prior to versions 8.3.1 and 9.0.3, the `saveRequestFiles` function does not delete the uploaded temporary files when user cancels the request. The issue is fixed in versions 8.3.1 and 9.0.3. As a workaround, do not use `saveRequestFiles`.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/fastify/fastify-multipart/secu… | x_refsource_CONFIRM |
| https://github.com/fastify/fastify-multipart/issues/546 | x_refsource_MISC |
| https://github.com/fastify/fastify-multipart/pull/567 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| fastify | fastify-multipart |
Affected:
< 8.3.1
Affected: >= 9.0.0, < 9.0.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24033",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-23T18:54:50.184882Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T20:41:29.689Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fastify-multipart",
"vendor": "fastify",
"versions": [
{
"status": "affected",
"version": "\u003c 8.3.1"
},
{
"status": "affected",
"version": "\u003e= 9.0.0, \u003c 9.0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "@fastify/multipart is a Fastify plugin for parsing the multipart content-type. Prior to versions 8.3.1 and 9.0.3, the `saveRequestFiles` function does not delete the uploaded temporary files when user cancels the request. The issue is fixed in versions 8.3.1 and 9.0.3. As a workaround, do not use `saveRequestFiles`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-23T17:40:56.228Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/fastify/fastify-multipart/security/advisories/GHSA-27c6-mcxv-x3fh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fastify/fastify-multipart/security/advisories/GHSA-27c6-mcxv-x3fh"
},
{
"name": "https://github.com/fastify/fastify-multipart/issues/546",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fastify/fastify-multipart/issues/546"
},
{
"name": "https://github.com/fastify/fastify-multipart/pull/567",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fastify/fastify-multipart/pull/567"
}
],
"source": {
"advisory": "GHSA-27c6-mcxv-x3fh",
"discovery": "UNKNOWN"
},
"title": "@fastify/multipart vulnerable to unlimited consumption of resources"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-24033",
"datePublished": "2025-01-23T17:40:56.228Z",
"dateReserved": "2025-01-16T17:31:06.460Z",
"dateUpdated": "2025-02-12T20:41:29.689Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-25576 (GCVE-0-2023-25576)
Vulnerability from nvd – Published: 2023-02-14 15:04 – Updated: 2025-03-10 21:12
VLAI
Title
@fastify/multipart vulnerable to DoS due to unlimited number of parts
Summary
@fastify/multipart is a Fastify plugin to parse the multipart content-type. Prior to versions 7.4.1 and 6.0.1, @fastify/multipart may experience denial of service due to a number of situations in which an unlimited number of parts are accepted. This includes the multipart body parser accepting an unlimited number of file parts, the multipart body parser accepting an unlimited number of field parts, and the multipart body parser accepting an unlimited number of empty parts as field parts. This is fixed in v7.4.1 (for Fastify v4.x) and v6.0.1 (for Fastify v3.x). There are no known workarounds.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/fastify/fastify-multipart/secu… | x_refsource_CONFIRM |
| https://github.com/fastify/fastify-multipart/comm… | x_refsource_MISC |
| https://hackerone.com/reports/1816195 | x_refsource_MISC |
| https://github.com/fastify/fastify-multipart/rele… | x_refsource_MISC |
| https://github.com/fastify/fastify-multipart/rele… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| fastify | fastify-multipart |
Affected:
< 6.0.1
Affected: >= 7.0.0, < 7.4.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:25:19.195Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/fastify/fastify-multipart/security/advisories/GHSA-hpp2-2cr5-pf6g",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/fastify/fastify-multipart/security/advisories/GHSA-hpp2-2cr5-pf6g"
},
{
"name": "https://github.com/fastify/fastify-multipart/commit/85be81bedf5b29cfd9fe3efc30fb5a17173c1297",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/fastify/fastify-multipart/commit/85be81bedf5b29cfd9fe3efc30fb5a17173c1297"
},
{
"name": "https://hackerone.com/reports/1816195",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/1816195"
},
{
"name": "https://github.com/fastify/fastify-multipart/releases/tag/v6.0.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/fastify/fastify-multipart/releases/tag/v6.0.1"
},
{
"name": "https://github.com/fastify/fastify-multipart/releases/tag/v7.4.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/fastify/fastify-multipart/releases/tag/v7.4.1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25576",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T20:58:50.709269Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:12:19.777Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fastify-multipart",
"vendor": "fastify",
"versions": [
{
"status": "affected",
"version": "\u003c 6.0.1"
},
{
"status": "affected",
"version": "\u003e= 7.0.0, \u003c 7.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "@fastify/multipart is a Fastify plugin to parse the multipart content-type. Prior to versions 7.4.1 and 6.0.1, @fastify/multipart may experience denial of service due to a number of situations in which an unlimited number of parts are accepted. This includes the multipart body parser accepting an unlimited number of file parts, the multipart body parser accepting an unlimited number of field parts, and the multipart body parser accepting an unlimited number of empty parts as field parts. This is fixed in v7.4.1 (for Fastify v4.x) and v6.0.1 (for Fastify v3.x). There are no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-14T15:04:11.119Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/fastify/fastify-multipart/security/advisories/GHSA-hpp2-2cr5-pf6g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fastify/fastify-multipart/security/advisories/GHSA-hpp2-2cr5-pf6g"
},
{
"name": "https://github.com/fastify/fastify-multipart/commit/85be81bedf5b29cfd9fe3efc30fb5a17173c1297",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fastify/fastify-multipart/commit/85be81bedf5b29cfd9fe3efc30fb5a17173c1297"
},
{
"name": "https://hackerone.com/reports/1816195",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/1816195"
},
{
"name": "https://github.com/fastify/fastify-multipart/releases/tag/v6.0.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fastify/fastify-multipart/releases/tag/v6.0.1"
},
{
"name": "https://github.com/fastify/fastify-multipart/releases/tag/v7.4.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fastify/fastify-multipart/releases/tag/v7.4.1"
}
],
"source": {
"advisory": "GHSA-hpp2-2cr5-pf6g",
"discovery": "UNKNOWN"
},
"title": "@fastify/multipart vulnerable to DoS due to unlimited number of parts"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-25576",
"datePublished": "2023-02-14T15:04:11.119Z",
"dateReserved": "2023-02-07T17:10:00.742Z",
"dateUpdated": "2025-03-10T21:12:19.777Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-23597 (GCVE-0-2021-23597)
Vulnerability from nvd – Published: 2022-02-11 17:05 – Updated: 2024-09-16 16:58
VLAI
Title
Denial of Service (DoS)
Summary
This affects the package fastify-multipart before 5.3.1. By providing a name=constructor property it is still possible to crash the application. **Note:** This is a bypass of CVE-2020-8136 (https://security.snyk.io/vuln/SNYK-JS-FASTIFYMULTIPART-1290382).
Severity
CWE
- Denial of Service (DoS)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://snyk.io/vuln/SNYK-JS-FASTIFYMULTIPART-2395480 | x_refsource_MISC |
| https://github.com/fastify/fastify-multipart/comm… | x_refsource_MISC |
| https://github.com/fastify/fastify-multipart/rele… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | fastify-multipart |
Affected:
unspecified , < 5.3.1
(custom)
|
Date Public
2022-02-11 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:14:09.056Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-FASTIFYMULTIPART-2395480"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/fastify/fastify-multipart/commit/a70dc7059a794589bd4fe066453141fc609e6066"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/fastify/fastify-multipart/releases/tag/v5.3.1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "fastify-multipart",
"vendor": "n/a",
"versions": [
{
"lessThan": "5.3.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Alessio Della Libera of Snyk Research Team"
}
],
"datePublic": "2022-02-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "This affects the package fastify-multipart before 5.3.1. By providing a name=constructor property it is still possible to crash the application. **Note:** This is a bypass of CVE-2020-8136 (https://security.snyk.io/vuln/SNYK-JS-FASTIFYMULTIPART-1290382)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"exploitCodeMaturity": "PROOF_OF_CONCEPT",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "UNCHANGED",
"temporalScore": 7.1,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial of Service (DoS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-11T17:05:13.000Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JS-FASTIFYMULTIPART-2395480"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fastify/fastify-multipart/commit/a70dc7059a794589bd4fe066453141fc609e6066"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fastify/fastify-multipart/releases/tag/v5.3.1"
}
],
"title": "Denial of Service (DoS)",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"DATE_PUBLIC": "2022-02-11T17:03:49.326660Z",
"ID": "CVE-2021-23597",
"STATE": "PUBLIC",
"TITLE": "Denial of Service (DoS)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "fastify-multipart",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "5.3.1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Alessio Della Libera of Snyk Research Team"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "This affects the package fastify-multipart before 5.3.1. By providing a name=constructor property it is still possible to crash the application. **Note:** This is a bypass of CVE-2020-8136 (https://security.snyk.io/vuln/SNYK-JS-FASTIFYMULTIPART-1290382)."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service (DoS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://snyk.io/vuln/SNYK-JS-FASTIFYMULTIPART-2395480",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JS-FASTIFYMULTIPART-2395480"
},
{
"name": "https://github.com/fastify/fastify-multipart/commit/a70dc7059a794589bd4fe066453141fc609e6066",
"refsource": "MISC",
"url": "https://github.com/fastify/fastify-multipart/commit/a70dc7059a794589bd4fe066453141fc609e6066"
},
{
"name": "https://github.com/fastify/fastify-multipart/releases/tag/v5.3.1",
"refsource": "MISC",
"url": "https://github.com/fastify/fastify-multipart/releases/tag/v5.3.1"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2021-23597",
"datePublished": "2022-02-11T17:05:13.098Z",
"dateReserved": "2021-01-08T00:00:00.000Z",
"dateUpdated": "2024-09-16T16:58:20.158Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8136 (GCVE-0-2020-8136)
Vulnerability from nvd – Published: 2020-03-20 18:26 – Updated: 2024-08-04 09:48
VLAI
Summary
Prototype pollution vulnerability in fastify-multipart < 1.0.5 allows an attacker to crash fastify applications parsing multipart requests by sending a specially crafted request.
Severity
No CVSS data available.
CWE
- CWE-400 - Denial of Service (CWE-400)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://hackerone.com/reports/804772 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | fastify-multipart |
Affected:
Fixed version: 1.0.5
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:48:25.935Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/804772"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "fastify-multipart",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed version: 1.0.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Prototype pollution vulnerability in fastify-multipart \u003c 1.0.5 allows an attacker to crash fastify applications parsing multipart requests by sending a specially crafted request."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Denial of Service (CWE-400)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-20T18:26:21.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/804772"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2020-8136",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "fastify-multipart",
"version": {
"version_data": [
{
"version_value": "Fixed version: 1.0.5"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Prototype pollution vulnerability in fastify-multipart \u003c 1.0.5 allows an attacker to crash fastify applications parsing multipart requests by sending a specially crafted request."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service (CWE-400)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/804772",
"refsource": "MISC",
"url": "https://hackerone.com/reports/804772"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2020-8136",
"datePublished": "2020-03-20T18:26:21.000Z",
"dateReserved": "2020-01-28T00:00:00.000Z",
"dateUpdated": "2024-08-04T09:48:25.935Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}