QwikSec

Security Database

CVE

CWE

Training

CVE-2023-25576

Published: Feb 14, 2023

Modified: Mar 10, 2025

PUBLISHED

CVSS v3.1

7.5

HIGH

Description

@fastify/multipart is a Fastify plugin to parse the multipart content-type. Prior to versions 7.4.1 and 6.0.1, @fastify/multipart may experience denial of service due to a number of situations in which an unlimited number of parts are accepted. This includes the multipart body parser accepting an unlimited number of file parts, the multipart body parser accepting an unlimited number of field parts, and the multipart body parser accepting an unlimited number of empty parts as field parts. This is fixed in v7.4.1 (for Fastify v4.x) and v6.0.1 (for Fastify v3.x). There are no known workarounds.

Vendor	Product	Versions
fastify	fastify-multipart	affected `< 6.0.1` affected `>= 7.0.0, < 7.4.1`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

References

https://github.com/fastify/fastify-multipart/security/advisories/GHSA-hpp2-2cr5-pf6g

x_refsource_CONFIRM

https://github.com/fastify/fastify-multipart/commit/85be81bedf5b29cfd9fe3efc30fb5a17173c1297

x_refsource_MISC

https://hackerone.com/reports/1816195

x_refsource_MISC

https://github.com/fastify/fastify-multipart/releases/tag/v6.0.1

x_refsource_MISC

https://github.com/fastify/fastify-multipart/releases/tag/v7.4.1

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.