GHSA-455w-c45v-86rg: fastify vulnerable to denial of service via malicious Content-Type

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2022-39288

fastify vulnerable to denial of service via malicious Content-Type

High severity GitHub Reviewed Published Oct 11, 2022 in fastify/fastify • Updated Oct 11, 2022

Vulnerability details Dependabot alerts 0

Package

npm fastify (npm)

Affected versions

>= 4.0.0, < 4.8.1

Patched versions

4.8.1

Description

Impact

An attacker can send an invalid Content-Type header that can cause the application to crash, leading to a possible Denial of Service attack. Only the v4.x line is affected.

(This was updated: upon a close inspection, v3.x is not affected after all).

Patches

Yes, update to > v4.8.0.

Workarounds

You can reject the malicious content types before the body parser enters in action.

const badNames = Object.getOwnPropertyNames({}.__proto__) fastify.addHook('onRequest’, async (req, reply) => { for (const badName of badNames) { if (req.headers[‘content-type’].indexOf(badName) > -1) { reply.code(415) throw new Error(‘Content type not supported’) } } })

References

See the HackerOne report #1715536

For more information

Fastify security policy

References

• GHSA-455w-c45v-86rg
• https://nvd.nist.gov/vuln/detail/CVE-2022-39288
• fastify/fastify@fbb07e8
• https://github.com/fastify/fastify/security/policy
• https://hackerone.com/bugs?report_id=1715536&subject=fastify

mcollina published the maintainer security advisory

Oct 10, 2022

Severity

High

7.5

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Weaknesses

CWE-754

CVE ID

CVE-2022-39288

GHSA ID

GHSA-455w-c45v-86rg

Source code

fastify/fastify

Checking history

See something to contribute? Suggest improvements for this vulnerability.