Improper Temporary File Management in Fastify Multipart Plugin
CVE-2025-24033

7.5HIGH

Key Information:

Vendor: Fastify
Status: Fastify-multipart
Vendor: CVE Published:; 23 January 2025

What is CVE-2025-24033?

The @fastify/multipart plugin, used for parsing multipart content in Fastify applications, exhibits a flaw in its saveRequestFiles function. Prior to versions 8.3.1 and 9.0.3, this function fails to delete temporary files when a user cancels a request. This can result in unnecessary storage use and potential data exposure. Users are advised to upgrade to the latest versions or adopt alternative measures such as avoiding the use of saveRequestFiles to mitigate this issue.