GoogleOSV:GHSA-455W-C45V-86RGfastify vulnerable to denial of service via malicious Content-Type
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.002 Low
EPSS
Percentile
53.4%
Impact
An attacker can send an invalid Content-Type header that can cause the application to crash, leading to a possible Denial of Service attack. Only the v4.x line is affected.
(This was updated: upon a close inspection, v3.x is not affected after all).
Patches
Yes, update to > v4.8.0.
Workarounds
You can reject the malicious content types before the body parser enters in action.
const badNames = Object.getOwnPropertyNames({}.__proto__)
fastify.addHook('onRequest', async (req, reply) => {
for (const badName of badNames) {
if (req.headers['content-type'].indexOf(badName) > -1) {
reply.code(415)
throw new Error('Content type not supported')
}
}
})
References
See the HackerOne report #1715536
For more information
References
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.002 Low
EPSS
Percentile
53.4%