Node.js third-party modules: Prototype pollution in multipart parsing

ID H1:804772
Type hackerone
Reporter mcollina
Modified 2020-02-28T10:55:15


I would like to report a prototype pollution attack in fastify-multipart it allows to crash a remote server parsing multipart requests by sending a specially crafted request.


module name: fastify-multipart version: all versions before < v1.0.5. v1.0.5 contains the fix. npm page:

Module Description

Fastify plugin to parse the multipart content-type.

Under the hood it uses busboy.

Module Stats

weekly downloads: 4900


Vulnerability Description

Eran Hammer found this vulnerability for Hapi, he tested Fastify as well and found it vulnerable. Here is the Hapi vulnerability report:

Steps To Reproduce:

> Detailed steps to reproduce with all required references/steps/commands. If there is any exploit code or reference to the package source code this is the place where it should be put.


This was already released in and version 1.0.5 issued.

Wrap up

> Select Y or N for the following statements:

  • I contacted the maintainer to let them know: Y
  • I opened an issue in the related repository: N

I just need a CVE issued.


It's a Denial of Service attack