Miggo Logo

CVE-2020-8192: Denial of service in fastify

6.5

CVSS Score
3.1

Basic Information

EPSS Score
0.58834%
Published
8/5/2020
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
fastifynpm< 2.15.12.15.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit diff shows the vulnerability was patched by explicitly setting allErrors: false in Ajv's configuration within lib/validation.js. The buildSchemaCompiler function previously enabled allErrors: true in Fastify's default Ajv options, which made validation processes collect all errors instead of failing fast. This could be exploited by malicious schemas to cause CPU/memory exhaustion. The function's direct control over Ajv's error reporting behavior matches the vulnerability description and patch evidence.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* **ni*l o* s*rvi** vuln*r**ility *xists in **sti*y v*.**.* *n* v*.*.*-r*.* t**t *llows * m*li*ious us*r to tri***r r*sour** *x**ustion (w**n t** *ll*rrors option is us**) wit* sp**i*lly *r**t** s***m*s.

Reasoning

T** *ommit *i** s*ows t** vuln*r**ility w*s p*t**** *y *xpli*itly s*ttin* `*ll*rrors: **ls*` in *jv's *on*i*ur*tion wit*in li*/v*li**tion.js. T** `*uil*S***m**ompil*r` *un*tion pr*viously *n**l** `*ll*rrors: tru*` in **sti*y's ****ult *jv options, w*