CVE-2023-25576
📋 TL;DR
CVE-2023-25576 is a denial-of-service vulnerability in @fastify/multipart plugin where attackers can send unlimited multipart parts (files, fields, or empty parts), causing resource exhaustion and service disruption. This affects Fastify applications using vulnerable versions of the multipart plugin. The vulnerability requires no authentication and can be exploited remotely.
💻 Affected Systems
- @fastify/multipart
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability due to memory/CPU exhaustion, potentially affecting all users and requiring service restart.
Likely Case
Degraded performance or temporary service disruption for affected endpoints, leading to user experience issues.
If Mitigated
Minimal impact with proper rate limiting, request size limits, and monitoring in place.
🎯 Exploit Status
Simple HTTP request with many multipart parts can trigger the vulnerability. Proof of concept available in HackerOne report.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v6.0.1 for Fastify v3.x, v7.4.1 for Fastify v4.x
Vendor Advisory: https://github.com/fastify/fastify-multipart/security/advisories/GHSA-hpp2-2cr5-pf6g
Restart Required: Yes
Instructions:
1. Update package.json to use @fastify/multipart >=6.0.1 (Fastify v3) or >=7.4.1 (Fastify v4). 2. Run 'npm update @fastify/multipart' or 'yarn upgrade @fastify/multipart'. 3. Restart your Fastify application.
🔧 Temporary Workarounds
Rate Limiting
allImplement request rate limiting to prevent excessive multipart requests
npm install @fastify/rate-limit
Request Size Limits
allConfigure maximum request size and part limits in Fastify multipart options
fastify.register(require('@fastify/multipart'), { limits: { fileSize: 1000000, files: 10, fields: 50 } })
🧯 If You Can't Patch
- Implement WAF rules to block requests with excessive multipart parts
- Deploy reverse proxy with request size and rate limiting before the vulnerable application
🔍 How to Verify
Check if Vulnerable:
Check package.json or node_modules/@fastify/multipart/package.json for version <6.0.1 (Fastify v3) or <7.4.1 (Fastify v4)Check Version:
npm list @fastify/multipart | grep @fastify/multipartVerify Fix Applied:
Verify installed version is >=6.0.1 (Fastify v3) or >=7.4.1 (Fastify v4) and test multipart endpoints with many parts📡 Detection & Monitoring
Log Indicators:
- High memory/CPU usage spikes
- Multiple multipart requests from single IP
- Request timeouts on multipart endpoints
Network Indicators:
- Unusually large HTTP requests to multipart endpoints
- Many POST requests with Content-Type: multipart/form-data
SIEM Query:
source="application_logs" AND ("multipart" OR "form-data") AND (request_size > 10000000 OR request_duration > 10s)🔗 References
- https://github.com/fastify/fastify-multipart/commit/85be81bedf5b29cfd9fe3efc30fb5a17173c1297
- https://github.com/fastify/fastify-multipart/releases/tag/v6.0.1
- https://github.com/fastify/fastify-multipart/releases/tag/v7.4.1
- https://github.com/fastify/fastify-multipart/security/advisories/GHSA-hpp2-2cr5-pf6g
- https://hackerone.com/reports/1816195
- https://github.com/fastify/fastify-multipart/commit/85be81bedf5b29cfd9fe3efc30fb5a17173c1297
- https://github.com/fastify/fastify-multipart/releases/tag/v6.0.1
- https://github.com/fastify/fastify-multipart/releases/tag/v7.4.1
- https://github.com/fastify/fastify-multipart/security/advisories/GHSA-hpp2-2cr5-pf6g
- https://hackerone.com/reports/1816195
