VDB
KO
HIGH 7.5

GHSA-qh73-qc3p-rjv2

Uncaught Exception in fastify-multipart

Details

### Impact

This is a bypass of CVE-2020-8136 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8136). By providing a `name=constructor` property it is still possible to crash the application. The original fix only checks for the key `__proto__` (https://github.com/fastify/fastify-multipart/pull/116).

All users are recommended to upgrade

### Patches

v5.3.1 includes a patch ### Workarounds

No workarounds are possible.

### References

Read up https://www.fastify.io/docs/latest/Guides/Prototype-Poisoning/

### For more information If you have any questions or comments about this advisory: * Open an issue in [https://github.com/fastify/fastify-multipart](https://github.com/fastify/fastify-multipart) * Email us at [hello@matteocollina.com](mailto:hello@matteocollina.com)

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / fastify-multipart
Introduced in: 0 Fixed in: 5.3.1
Fix npm install fastify-multipart@5.3.1

References