Unlimited consumption of resources in @fastify/multipart · CVE-2025-24033 · GitHub Advisory Database · GitHub

Unlimited consumption of resources in @fastify/multipart

High severity GitHub Reviewed Published Jan 23, 2025 in fastify/fastify-multipart • Updated Jan 23, 2025

Package

@fastify/multipart (npm)

Affected versions

<= 8.3.0

>= 9.0.0, < 9.0.3

Patched versions

8.3.1

9.0.3

Description

Impact

The saveRequestFiles function does not delete the uploaded temporary files when user cancels the request.

Patches

Fixed in version 8.3.1 and 9.0.3

Workarounds

Do not use saveRequestFiles.

References

This was identified in fastify/fastify-multipart#546 and fixed in fastify/fastify-multipart#567.

References

mcollina published to fastify/fastify-multipart

Jan 23, 2025

Published to the GitHub Advisory Database Jan 23, 2025

Reviewed Jan 23, 2025

Published by the National Vulnerability Database

Jan 23, 2025

Last updated Jan 23, 2025

Severity

High

/ 10

CVSS v3 base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H