7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-25576

CVE-2023-25576: Denial of service due to unlimited number of parts

Impact

The multipart body parser accepts an unlimited number of file parts.
The multipart body parser accepts an unlimited number of field parts.
The multipart body parser accepts an unlimited number of empty parts as field parts.

Patches

This is fixed in v7.4.1 (for Fastify v4.x) and v6.0.1 (for Fastify v3.x).

Workarounds

There are no known workaround.

References

Reported at https://hackerone.com/reports/1816195.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-25576

CVE-2023-25576:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@fastify/multipart	npm	< 6.0.1	6.0.1
@fastify/multipart	npm	>= 7.0.0, < 7.4.1	7.4.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing default limits in the multipart parser configuration. The commit diff shows the addition of default values for 'parts' (1000) and 'fileSize' (bodyLimit) in the options.limits object within the fastifyMultipart function. Prior to this fix, if users didn't explicitly set these limits, the parser accepted unlimited parts. The CWE mappings (CWE-400/CWE-770) directly correlate to this lack of resource throttling. The vulnerable versions' absence of these defaults in the configuration setup made the function susceptible to DoS through excessive part processing.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-25576: Denial of service due to unlimited number of parts

Impact

Patches

Workarounds

References

CVE-2023-25576:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

7.5

7.5

Basic Information

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2023-25576: Denial of service due to unlimited number of parts

Impact

Patches

Workarounds

References

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI