CVE-2020-8136

CVE-2020-8136 affects fastify-multipart via a prototype-pollution path in versions below 1.0.5, enabling an attacker to crash Fastify applications during multipart request parsing with a crafted input. Connected advisories (GHSA-QH73-QC3P-RJV2 and RH/CVE entries) confirm a bypass vector involving...

CVE-2021-23597

CVE-2021-23597 affects the npm package fastify-multipart prior to 5.3.1. By supplying a name=constructor property, an attacker can crash the application, bypassing the prior CVE-2020-8136 fix. Several sources (OSV, GHSA advisories, CNNVD) confirm the vulnerability and identify upgrading to v5.3.1...

CVE-2023-25576

CVE-2023-25576 affects the Fastify multipart plugin (@fastify/multipart). The vulnerability is a denial-of-service caused by the multipart body parser accepting an unlimited number of parts (files, fields, or empty field parts). It is fixed by upgrading to v7.4.1 for Fastify v4.x and v6.0.1 for F...