CVE-2020-8192: Denial of service in fastify
6.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.58834%
CWE
Published
8/5/2020
Updated
1/9/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
fastify | npm | < 2.15.1 | 2.15.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The commit diff shows the vulnerability was patched by explicitly setting allErrors: false
in Ajv's configuration within lib/validation.js. The buildSchemaCompiler
function previously enabled allErrors: true
in Fastify's default Ajv options, which made validation processes collect all errors instead of failing fast. This could be exploited by malicious schemas to cause CPU/memory exhaustion. The function's direct control over Ajv's error reporting behavior matches the vulnerability description and patch evidence.