CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31999 – @fastify/secure-session: Reuse of destroyed secure session cookie
https://notcve.org/view.php?id=CVE-2024-31999
@festify/secure-session creates a secure stateless cookie session for Fastify. At the end of the request handling, it will encrypt all data in the session with a secret key and attach the ciphertext as a cookie value with the defined cookie name. After that, the session on the server side is destroyed. When an encrypted cookie with matching session name is provided with subsequent requests, it will decrypt the ciphertext to get the data. The plugin then creates a new session with the data in the ciphertext. • https://github.com/fastify/fastify-secure-session/commit/56d66642ecc633cff0606927601e81cdac361370 https://github.com/fastify/fastify-secure-session/security/advisories/GHSA-9wwp-q7wq-jx35 • CWE-613: Insufficient Session Expiration •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-25576 – @fastify/multipart vulnerable to DoS due to unlimited number of parts
https://notcve.org/view.php?id=CVE-2023-25576
@fastify/multipart is a Fastify plugin to parse the multipart content-type. Prior to versions 7.4.1 and 6.0.1, @fastify/multipart may experience denial of service due to a number of situations in which an unlimited number of parts are accepted. This includes the multipart body parser accepting an unlimited number of file parts, the multipart body parser accepting an unlimited number of field parts, and the multipart body parser accepting an unlimited number of empty parts as field parts. This is fixed in v7.4.1 (for Fastify v4.x) and v6.0.1 (for Fastify v3.x). There are no known workarounds. • https://github.com/fastify/fastify-multipart/commit/85be81bedf5b29cfd9fe3efc30fb5a17173c1297 https://github.com/fastify/fastify-multipart/releases/tag/v6.0.1 https://github.com/fastify/fastify-multipart/releases/tag/v7.4.1 https://github.com/fastify/fastify-multipart/security/advisories/GHSA-hpp2-2cr5-pf6g https://hackerone.com/reports/1816195 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-41919 – Fastify vulnerable to Cross-Site Request Forgery (CSRF) attack via incorrect content type
https://notcve.org/view.php?id=CVE-2022-41919
Fastify is a web framework with minimal overhead and plugin architecture. The attacker can use the incorrect `Content-Type` to bypass the `Pre-Flight` checking of `fetch`. `fetch()` requests with Content-Type’s essence as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", could potentially be used to invoke routes that only accepts `application/json` content type, thus bypassing any CORS protection, and therefore they could lead to a Cross-Site Request Forgery attack. This issue has been patched in version 4.10.2 and 3.29.4. As a workaround, implement Cross-Site Request Forgery protection using `@fastify/csrf'. • https://github.com/fastify/fastify/commit/62dde76f1f7aca76e38625fe8d983761f26e6fc9 https://github.com/fastify/fastify/security/advisories/GHSA-3fjj-p79j-c9hh https://www.npmjs.com/package/%40fastify/csrf • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-39288 – Denial of service in Fastify via Content-Type header
https://notcve.org/view.php?id=CVE-2022-39288
fastify is a fast and low overhead web framework, for Node.js. Affected versions of fastify are subject to a denial of service via malicious use of the Content-Type header. An attacker can send an invalid Content-Type header that can cause the application to crash. This issue has been addressed in commit `fbb07e8d` and will be included in release version 4.8.1. Users are advised to upgrade. • https://github.com/fastify/fastify/commit/fbb07e8dfad74c69cd4cd2211aedab87194618e3 https://github.com/fastify/fastify/security/advisories/GHSA-455w-c45v-86rg https://github.com/fastify/fastify/security/policy • CWE-754: Improper Check for Unusual or Exceptional Conditions •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-23597 – Denial of Service (DoS)
https://notcve.org/view.php?id=CVE-2021-23597
This affects the package fastify-multipart before 5.3.1. By providing a name=constructor property it is still possible to crash the application. **Note:** This is a bypass of CVE-2020-8136 (https://security.snyk.io/vuln/SNYK-JS-FASTIFYMULTIPART-1290382). Esto afecta al paquete fastify-multipart versiones anteriores a 5.3.1. Proporcionando una propiedad name=constructor todavía es posible bloquear la aplicación. • https://github.com/fastify/fastify-multipart/commit/a70dc7059a794589bd4fe066453141fc609e6066 https://github.com/fastify/fastify-multipart/releases/tag/v5.3.1 https://snyk.io/vuln/SNYK-JS-FASTIFYMULTIPART-2395480 • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •