View all vulnerabilities

CVE-2023-25576

Denial of service due to unlimited number of parts

Description

### Impact


* The multipart body parser accepts an unlimited number of file parts.
* The multipart body parser accepts an unlimited number of field parts.
* The multipart body parser accepts an unlimited number of empty parts as field
parts.


### Patches

This is fixed in v7.4.1 (for Fastify v4.x) and v6.0.1 (for Fastify v3.x).

### Workarounds

There are no known workaround.  

### References

Reported at https://hackerone.com/reports/1816195.

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading
Vulnerability Details
Score
7.5
Score Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Versions
@fastify/multipart < 6.0.1; @fastify/multipart >= 7.0.0 < 7.4.1
Severity
High
High
High
Ecosystem
JavaScript
Publish Date
February 14, 2023
Modified Date
November 7, 2023