Uncaught Exception in fastify-multipart · CVE-2021-23597 · GitHub Advisory Database · GitHub

Uncaught Exception in fastify-multipart

High severity GitHub Reviewed Published Feb 11, 2022 in fastify/fastify-multipart • Updated Feb 3, 2023

Package

fastify-multipart (npm)

Affected versions

< 5.3.1

Patched versions

5.3.1

Description

Impact

This is a bypass of CVE-2020-8136 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8136).
By providing a name=constructor property it is still possible to crash the application.
The original fix only checks for the key __proto__ (fastify/fastify-multipart#116).

All users are recommended to upgrade

Patches

v5.3.1 includes a patch

Workarounds

No workarounds are possible.

References

Read up https://www.fastify.io/docs/latest/Guides/Prototype-Poisoning/

For more information

If you have any questions or comments about this advisory:

Open an issue in https://github.com/fastify/fastify-multipart
Email us at [email protected]

References

mcollina published to fastify/fastify-multipart

Feb 11, 2022

Published by the National Vulnerability Database

Feb 11, 2022

Published to the GitHub Advisory Database Feb 11, 2022

Reviewed Feb 11, 2022

Last updated Feb 3, 2023

Severity

High

7.5

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H