Lucene search

K

GoogleOSV:GHSA-QH73-QC3P-RJV2

HistoryFeb 11, 2022 - 6:57 p.m.

Uncaught Exception in fastify-multipart

2022-02-1118:57:53

Google

osv.dev

24

security patch

prototype poisoning

application crash

upgrade

fastify multipart

EPSS

0.002

Percentile

59.3%

Impact

This is a bypass of CVE-2020-8136 (https://vulners.com/cve/CVE-2020-8136).
By providing a name=constructor property it is still possible to crash the application.
The original fix only checks for the key __proto__ (https://github.com/fastify/fastify-multipart/pull/116).

All users are recommended to upgrade

Patches

v5.3.1 includes a patch

Workarounds

No workarounds are possible.

References

Read up https://www.fastify.io/docs/latest/Guides/Prototype-Poisoning/

For more information

If you have any questions or comments about this advisory:

Open an issue in https://github.com/fastify/fastify-multipart
Email us at [email protected]

References

github.com/fastify/fastify-multipart

github.com/fastify/fastify-multipart/commit/a70dc7059a794589bd4fe066453141fc609e6066

github.com/fastify/fastify-multipart/pull/116

github.com/fastify/fastify-multipart/releases/tag/v5.3.1

github.com/fastify/fastify-multipart/security/advisories/GHSA-qh73-qc3p-rjv2

nvd.nist.gov/vuln/detail/CVE-2021-23597

snyk.io/vuln/SNYK-JS-FASTIFYMULTIPART-2395480

www.fastify.io/docs/latest/Guides/Prototype-Poisoning

EPSS

0.002

Percentile

59.3%

Related for OSV:GHSA-QH73-QC3P-RJV2

github2 osv3 prion2 cvelist2 cve2 nvd2 veracode2 hackerone1