logo

Database

Improper resource allocation In fastify-multipart

Description

Uncaught Exception in fastify-multipart

Impact

This is a bypass of CVE-2020-8136 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8136). By providing a name=constructor property it is still possible to crash the application. The original fix only checks for the key __proto__ (https://github.com/fastify/fastify-multipart/pull/116).

All users are recommended to upgrade

Patches

v5.3.1 includes a patch

Workarounds

No workarounds are possible.

References

Read up https://www.fastify.io/docs/latest/Guides/Prototype-Poisoning/

For more information

If you have any questions or comments about this advisory:

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2021-235972. NVD-2021-235973. OSV-2021-235974. GHSA-qh73-qc3p-rjv25. GCVE-2021-23597

References

1. https://github.com/fastify/fastify-multipart/security/advisories/GHSA-qh73-qc3p-rjv22. https://github.com/fastify/fastify-multipart/pull/1163. https://github.com/fastify/fastify-multipart/commit/a70dc7059a794589bd4fe066453141fc609e60664. https://github.com/fastify/fastify-multipart5. https://github.com/fastify/fastify-multipart/releases/tag/v5.3.16. https://www.fastify.io/docs/latest/Guides/Prototype-Poisoning

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.