I would like to report a prototype pollution attack in fastify-multipart it allows to crash a remote server parsing multipart requests by sending a specially crafted request.
module name: fastify-multipart
version: all versions before < v1.0.5. v1.0.5 contains the fix.
Fastify plugin to parse the multipart content-type.
Under the hood it uses busboy.
weekly downloads: 4900
Eran Hammer found this vulnerability for Hapi, he tested Fastify as well and found it vulnerable. Here is the Hapi vulnerability report: https://www.npmjs.com/advisories/1479.
> Detailed steps to reproduce with all required references/steps/commands. If there is any exploit code or reference to the package source code this is the place where it should be put.
This was already released in https://github.com/fastify/fastify-multipart/pull/116 and version 1.0.5 issued.
> Select Y or N for the following statements:
I just need a CVE issued.
It's a Denial of Service attack