Denial of service in Fastify via Content-Type header
CVE-2022-39288

7.5HIGH

Key Information:

Vendor: Fastify
Status: Fastify
Vendor: CVE Published:; 10 October 2022

What is CVE-2022-39288?

fastify is a fast and low overhead web framework, for Node.js. Affected versions of fastify are subject to a denial of service via malicious use of the Content-Type header. An attacker can send an invalid Content-Type header that can cause the application to crash. This issue has been addressed in commit fbb07e8d and will be included in release version 4.8.1. Users are advised to upgrade. Users unable to upgrade may manually filter out http content with malicious Content-Type headers.

Affected Version(s)

fastify >= 4.0.0, < 4.8.1

References

https://github.com/fastify/fastify/security/advisories/GH...

https://github.com/fastify/fastify/commit/fbb07e8dfad74c6...

https://github.com/fastify/fastify/security/policy

EPSS Score

6% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 10, 2022
Vulnerability Reserved
Sep 2, 2022

CVE-2022-39288 Data

JSON