GitHub Advisory DatabaseGHSA-455W-C45V-86RGfastify vulnerable to denial of service via malicious Content-Type
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.002 Low
EPSS
Percentile
53.4%
Impact
An attacker can send an invalid Content-Type header that can cause the application to crash, leading to a possible Denial of Service attack. Only the v4.x line is affected.
(This was updated: upon a close inspection, v3.x is not affected after all).
Patches
Yes, update to > v4.8.0.
Workarounds
You can reject the malicious content types before the body parser enters in action.
const badNames = Object.getOwnPropertyNames({}.__proto__)
fastify.addHook('onRequest', async (req, reply) => {
for (const badName of badNames) {
if (req.headers['content-type'].indexOf(badName) > -1) {
reply.code(415)
throw new Error('Content type not supported')
}
}
})
References
See the HackerOne report #1715536
For more information
Affected configurations
References
github.com/advisories/GHSA-455w-c45v-86rg
github.com/fastify/fastify/commit/fbb07e8dfad74c69cd4cd2211aedab87194618e3
github.com/fastify/fastify/security/advisories/GHSA-455w-c45v-86rg
github.com/fastify/fastify/security/policy
hackerone.com/bugs?report_id=1715536&subject=fastify
nvd.nist.gov/vuln/detail/CVE-2022-39288
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.002 Low
EPSS
Percentile
53.4%