Headline
GHSA-v2v2-hph8-q5xp: @fastify/reply-from JSON Content-Type parsing confusion
Impact
The main repo of fastify use fast-content-type-parse to parse request Content-Type, which will trim after split.
The fastify-reply-from have not use this repo to unify the parse of Content-Type, which won’t trim.
As a result, a reverse proxy server built with @fastify/reply-from could misinterpret the incoming body by passing an header ContentType: application/json ; charset=utf-8. This can lead to bypass of security checks.
Patches
@fastify/reply-from v9.6.0 include the fix.
Workarounds
There are no known workarounds.
References
Hackerone Report: https://hackerone.com/reports/2295770.
Package
npm @fastify/reply-from (npm)
Affected versions
< 9.6.0
Patched versions
9.6.0
Description
Impact
The main repo of fastify use fast-content-type-parse to parse request Content-Type, which will trim after split.
The fastify-reply-from have not use this repo to unify the parse of Content-Type, which won’t trim.
As a result, a reverse proxy server built with @fastify/reply-from could misinterpret the incoming body by passing an header ContentType: application/json ; charset=utf-8. This can lead to bypass of security checks.
Patches
@fastify/reply-from v9.6.0 include the fix.
Workarounds
There are no known workarounds.
References
Hackerone Report: https://hackerone.com/reports/2295770.
References
- GHSA-v2v2-hph8-q5xp
- fastify/fastify-reply-from@cbd7c17
- https://github.com/fastify/fastify-reply-from/releases/tag/v9.6.0
- https://nvd.nist.gov/vuln/detail/CVE-2023-51701
mcollina published to fastify/fastify-reply-from
Jan 8, 2024
Published by the National Vulnerability Database
Jan 8, 2024
Published to the GitHub Advisory Database
Jan 8, 2024
Reviewed
Jan 8, 2024
Last updated
Jan 8, 2024