📦

fastify-multipart

Vendor: fastify

Actively Exploited 0 CISA KEV List

PoC / Exploits 0 Code Available

Total RCEs 0 Remote Access

Total CVEs 3 Total Indexed

Avg. EPSS 0.59% Exploit Prob.

Latest CVE CVE-2023-25576 Feb 14

Security Vulnerability Index

Page 1 / 1

7.5 CVSS

CVE-2023-25576

@fastify/multipart is a Fastify plugin to parse the multipart content-type. Prior to versions 7.4.1 and 6.0.1, @fastify/multipart may experience denial of service due to a number of situations in which an unlimited number of parts are accepted. This includes the multipart body parser accepting an unlimited number of file parts, the multipart body parser accepting an unlimited number of field parts, and the multipart body parser accepting an unlimited number of empty parts as field parts. This is fixed in v7.4.1 (for Fastify v4.x) and v6.0.1 (for Fastify v3.x). There are no known workarounds.

EPSS: 0.60%

Severity: HIGH

Feb 14, 2023

7.5 CVSS

CVE-2021-23597

This affects the package fastify-multipart before 5.3.1. By providing a name=constructor property it is still possible to crash the application. **Note:** This is a bypass of CVE-2020-8136 (https://security.snyk.io/vuln/SNYK-JS-FASTIFYMULTIPART-1290382).

EPSS: 0.41%

Severity: HIGH

Feb 11, 2022

7.5 CVSS

CVE-2020-8136

Prototype pollution vulnerability in fastify-multipart < 1.0.5 allows an attacker to crash fastify applications parsing multipart requests by sending a specially crafted request.

EPSS: 0.75%

Severity: HIGH

Mar 20, 2020

Displaying 3 of 3 Total Entries

Total 1 Sections