GHSA-27C6-MCXV-X3FH

Vulnerability from github – Published: 2025-01-23 18:02 – Updated: 2025-01-23 23:17
VLAI?
Summary
Unlimited consumption of resources in @fastify/multipart
Details

Impact

The saveRequestFiles function does not delete the uploaded temporary files when user cancels the request.

Patches

Fixed in version 8.3.1 and 9.0.3

Workarounds

Do not use saveRequestFiles.

References

This was identified in https://github.com/fastify/fastify-multipart/issues/546 and fixed in https://github.com/fastify/fastify-multipart/pull/567.

Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 8.3.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@fastify/multipart"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@fastify/multipart"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-24033"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-23T18:02:07Z",
    "nvd_published_at": "2025-01-23T18:15:33Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nThe `saveRequestFiles` function does not delete the uploaded temporary files when user cancels the request.\n\n### Patches\n\nFixed in version 8.3.1 and 9.0.3\n\n### Workarounds\n\nDo not use `saveRequestFiles`.\n\n### References\n\nThis was identified in https://github.com/fastify/fastify-multipart/issues/546 and fixed in https://github.com/fastify/fastify-multipart/pull/567.\n",
  "id": "GHSA-27c6-mcxv-x3fh",
  "modified": "2025-01-23T23:17:17Z",
  "published": "2025-01-23T18:02:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/fastify/fastify-multipart/security/advisories/GHSA-27c6-mcxv-x3fh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24033"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fastify/fastify-multipart/issues/546"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fastify/fastify-multipart/pull/567"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/fastify/fastify-multipart"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Unlimited consumption of resources in @fastify/multipart"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.