Lucene search

K
osvGoogleOSV:GHSA-HPP2-2CR5-PF6G
HistoryFeb 14, 2023 - 9:49 p.m.

Denial of service due to unlimited number of parts

2023-02-1421:49:55
Google
osv.dev
8
denial of service
multipart body parser
file parts
field parts
unlimited
fastify
vulnerability

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.002

Percentile

61.3%

Impact

  • The multipart body parser accepts an unlimited number of file parts.
  • The multipart body parser accepts an unlimited number of field parts.
  • The multipart body parser accepts an unlimited number of empty parts as field
    parts.

Patches

This is fixed in v7.4.1 (for Fastify v4.x) and v6.0.1 (for Fastify v3.x).

Workarounds

There are no known workaround.

References

Reported at https://hackerone.com/reports/1816195.

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.002

Percentile

61.3%

Related for OSV:GHSA-HPP2-2CR5-PF6G