GHSA-qh73-qc3p-rjv2
Uncaught Exception in fastify-multipart
Details
### Impact
This is a bypass of CVE-2020-8136 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8136). By providing a `name=constructor` property it is still possible to crash the application. The original fix only checks for the key `__proto__` (https://github.com/fastify/fastify-multipart/pull/116).
All users are recommended to upgrade
### Patches
v5.3.1 includes a patch ### Workarounds
No workarounds are possible.
### References
Read up https://www.fastify.io/docs/latest/Guides/Prototype-Poisoning/
### For more information If you have any questions or comments about this advisory: * Open an issue in [https://github.com/fastify/fastify-multipart](https://github.com/fastify/fastify-multipart) * Email us at [hello@matteocollina.com](mailto:hello@matteocollina.com)
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/fastify/fastify-multipart/security/advisories/GHSA-qh73-qc3p-rjv2 [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2021-23597 [ADVISORY]
- https://github.com/fastify/fastify-multipart/pull/116 [WEB]
- https://github.com/fastify/fastify-multipart/commit/a70dc7059a794589bd4fe066453141fc609e6066 [WEB]
- https://github.com/fastify/fastify-multipart [WEB]
- https://github.com/fastify/fastify-multipart/releases/tag/v5.3.1 [WEB]
- https://snyk.io/vuln/SNYK-JS-FASTIFYMULTIPART-2395480 [WEB]
- https://www.fastify.io/docs/latest/Guides/Prototype-Poisoning [WEB]