Denial of Service (DoS)
CVE-2021-23597

7.5HIGH

Key Information:

Vendor: Fastify
Status: Fastify-multipart
Vendor: CVE Published:; 11 February 2022

What is CVE-2021-23597?

This affects the package fastify-multipart before 5.3.1. By providing a name=constructor property it is still possible to crash the application. Note: This is a bypass of CVE-2020-8136 (https://security.snyk.io/vuln/SNYK-JS-FASTIFYMULTIPART-1290382).

Affected Version(s)

fastify-multipart < 5.3.1

References

https://snyk.io/vuln/SNYK-JS-FASTIFYMULTIPART-2395480

x_refsource_MISC

https://github.com/fastify/fastify-multipart/commit/a70dc...

x_refsource_MISC

https://github.com/fastify/fastify-multipart/releases/tag...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 11, 2022
Vulnerability Reserved
Jan 8, 2021

Credit

Alessio Della Libera of Snyk Research Team

CVE-2021-23597 Data

JSON

Fastify

What is CVE-2021-23597?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit