This is a bypass of CVE-2020-8136 (https://vulners.com/cve/CVE-2020-8136).
By providing a name=constructor
property it is still possible to crash the application.
The original fix only checks for the key __proto__
(https://github.com/fastify/fastify-multipart/pull/116).
All users are recommended to upgrade
v5.3.1 includes a patch
No workarounds are possible.
Read up https://www.fastify.io/docs/latest/Guides/Prototype-Poisoning/
If you have any questions or comments about this advisory:
github.com/fastify/fastify-multipart
github.com/fastify/fastify-multipart/commit/a70dc7059a794589bd4fe066453141fc609e6066
github.com/fastify/fastify-multipart/pull/116
github.com/fastify/fastify-multipart/releases/tag/v5.3.1
github.com/fastify/fastify-multipart/security/advisories/GHSA-qh73-qc3p-rjv2
nvd.nist.gov/vuln/detail/CVE-2021-23597
snyk.io/vuln/SNYK-JS-FASTIFYMULTIPART-2395480
www.fastify.io/docs/latest/Guides/Prototype-Poisoning