CVE-2021-23597: Uncaught Exception in fastify-multipart
(updated )
This affects the package fastify-multipart before 5.3.1. By providing a name=constructor property it is still possible to crash the application. Note: This is a bypass of CVE-2020-8136 (https://security.snyk.io/vuln/SNYK-JS-FASTIFYMULTIPART-1290382).
References
- github.com/advisories/GHSA-qh73-qc3p-rjv2
- github.com/fastify/fastify-multipart/commit/a70dc7059a794589bd4fe066453141fc609e6066
- github.com/fastify/fastify-multipart/pull/116
- github.com/fastify/fastify-multipart/releases/tag/v5.3.1
- github.com/fastify/fastify-multipart/security/advisories/GHSA-qh73-qc3p-rjv2
- nvd.nist.gov/vuln/detail/CVE-2021-44255
- snyk.io/vuln/SNYK-JS-FASTIFYMULTIPART-2395480
- www.fastify.io/docs/latest/Guides/Prototype-Poisoning/
Detect and mitigate CVE-2021-23597 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →