641 matches found
GHSA-27C6-MCXV-X3FH Unlimited consumption of resources in @fastify/multipart
Impact The saveRequestFiles function does not delete the uploaded temporary files when user cancels the request. Patches Fixed in version 8.3.1 and 9.0.3 Workarounds Do not use saveRequestFiles. References This was identified in https://github.com/fastify/fastify-multipart/issues/546 and fixed in...
CVE-2025-24033 @fastify/multipart vulnerable to unlimited consumption of resources
@fastify/multipart is a Fastify plugin for parsing the multipart content-type. Prior to versions 8.3.1 and 9.0.3, the saveRequestFiles function does not delete the uploaded temporary files when user cancels the request. The issue is fixed in versions 8.3.1 and 9.0.3. As a workaround, do not use...
CVE-2025-24033
CVE-2025-24033 affects the @fastify/multipart plugin. Prior to versions 8.3.1 and 9.0.3, the saveRequestFiles function does not delete uploaded temporary files when a user cancels a request, risking excessive disk usage. The issue is fixed in versions 8.3.1 and 9.0.3. As a workaround, do not use ...
CVE-2025-24033 @fastify/multipart vulnerable to unlimited consumption of resources
@fastify/multipart is a Fastify plugin for parsing the multipart content-type. Prior to versions 8.3.1 and 9.0.3, the saveRequestFiles function does not delete the uploaded temporary files when user cancels the request. The issue is fixed in versions 8.3.1 and 9.0.3. As a workaround, do not use...
CVE-2025-24033 @fastify/multipart vulnerable to unlimited consumption of resources
@fastify/multipart is a Fastify plugin for parsing the multipart content-type. Prior to versions 8.3.1 and 9.0.3, the saveRequestFiles function does not delete the uploaded temporary files when user cancels the request. The issue is fixed in versions 8.3.1 and 9.0.3. As a workaround, do not use...
PT-2025-1271 · Fastify · Fastify-Multipart
Name of the Vulnerable Software and Affected Versions: @fastify/multipart versions prior to 8.3.1 and 9.0.3 Description: The issue is related to the saveRequestFiles function in the @fastify/multipart plugin for Fastify, which fails to delete uploaded temporary files when a user cancels a request...
fastify-multipart 安全漏洞
fastify-multipart is a software package that supports parsing multiple content types. A security vulnerability exists in fastify-multipart versions 8.3.0 and earlier and versions 9.0.0 through 9.0.3 and earlier, which stems from the saveRequestFiles function not deleting temporary files that have...
Malicious code in fastify-tfb (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 7464e6810a1e0786e6e5319c23b576286c8bff07c41fcb1ac9d1f47c67f5af40 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
fastify-html (>=0.3.3 <=0.4.0) potentially affected by CVE-2024-37166 via ghtml (=1.7.2)
ghtml NPM version =1.7.2 is affected by a known vulnerability. The following packages have a transitive dependency on ghtml and may be impacted: - fastify-html =0.3.3, =0.4.0 Source cves: CVE-2024-37166 Source advisory: OSV:GHSA-VVHJ-V88F-5GXR...
Insufficient Session Expiration
@fastify/session is vulnerable to Insufficient Session Expiration. The vulnerability is due to the expires field being overridden if the maxAge field is set, which prevents cookies from being correctly detected as expired, thus expired sessions are not destroyed. This allows attackers to maintain...
CVE-2024-35220
@fastify/session is a session plugin for fastify. Requires the @fastify/cookie plugin. When restoring the cookie from the session store, the expires field is overriden if the maxAge field was set. This means a cookie is never correctly detected as expired and thus expired sessions are not...
CVE-2024-35220
Summary: CVE-2024-35220 affects the @fastify/session plugin for Fastify. When restoring a cookie from the session store, the expires field is overridden if maxAge is set, causing expired cookies/sessions to not be destroyed. The issue is fixed in version 10.8.0; affected users should upgrade to 1...
CVE-2024-35220 @fastify/session reuses destroyed session cookie
@fastify/session is a session plugin for fastify. Requires the @fastify/cookie plugin. When restoring the cookie from the session store, the expires field is overriden if the maxAge field was set. This means a cookie is never correctly detected as expired and thus expired sessions are not...
CVE-2024-35220 @fastify/session reuses destroyed session cookie
@fastify/session is a session plugin for fastify. Requires the @fastify/cookie plugin. When restoring the cookie from the session store, the expires field is overriden if the maxAge field was set. This means a cookie is never correctly detected as expired and thus expired sessions are not...
CVE-2024-35220 @fastify/session reuses destroyed session cookie
@fastify/session is a session plugin for fastify. Requires the @fastify/cookie plugin. When restoring the cookie from the session store, the expires field is overriden if the maxAge field was set. This means a cookie is never correctly detected as expired and thus expired sessions are not...
@fastify/session reuses destroyed session cookie
Impact When restoring the cookie from the session store, the expires field is overriden if the maxAge field was set. This means a cookie is never correctly detected as expired and thus expired sessions are not destroyed. Patches Updating to v10.9.0 will solve this. Workarounds None References...
GHSA-PJ27-2XVP-4QXG @fastify/session reuses destroyed session cookie
Impact When restoring the cookie from the session store, the expires field is overriden if the maxAge field was set. This means a cookie is never correctly detected as expired and thus expired sessions are not destroyed. Patches Updating to v10.9.0 will solve this. Workarounds None References...
fastify session 安全漏洞
fastify session is an open source plugin for fastify. A security vulnerability exists in fastify session version 10.8.0 and earlier that stems from the reuse of a corrupted session cookie...
CVE-2024-31999
@festify/secure-session creates a secure stateless cookie session for Fastify. At the end of the request handling, it will encrypt all data in the session with a secret key and attach the ciphertext as a cookie value with the defined cookie name. After that, the session on the server side is...
CVE-2024-31999 @fastify/secure-session: Reuse of destroyed secure session cookie
@festify/secure-session creates a secure stateless cookie session for Fastify. At the end of the request handling, it will encrypt all data in the session with a secret key and attach the ciphertext as a cookie value with the defined cookie name. After that, the session on the server side is...