Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-v2v2-hph8-q5xp: @fastify/reply-from JSON Content-Type parsing confusion

Impact

The main repo of fastify use fast-content-type-parse to parse request Content-Type, which will trim after split.

The fastify-reply-from have not use this repo to unify the parse of Content-Type, which won’t trim.

As a result, a reverse proxy server built with @fastify/reply-from could misinterpret the incoming body by passing an header ContentType: application/json ; charset=utf-8. This can lead to bypass of security checks.

Patches

@fastify/reply-from v9.6.0 include the fix.

Workarounds

There are no known workarounds.

References

Hackerone Report: https://hackerone.com/reports/2295770.

ghsa
#vulnerability#nodejs#js#git

Package

npm @fastify/reply-from (npm)

Affected versions

< 9.6.0

Patched versions

9.6.0

Description

Impact

The main repo of fastify use fast-content-type-parse to parse request Content-Type, which will trim after split.

The fastify-reply-from have not use this repo to unify the parse of Content-Type, which won’t trim.

As a result, a reverse proxy server built with @fastify/reply-from could misinterpret the incoming body by passing an header ContentType: application/json ; charset=utf-8. This can lead to bypass of security checks.

Patches

@fastify/reply-from v9.6.0 include the fix.

Workarounds

There are no known workarounds.

References

Hackerone Report: https://hackerone.com/reports/2295770.

References

  • GHSA-v2v2-hph8-q5xp
  • fastify/fastify-reply-from@cbd7c17
  • https://github.com/fastify/fastify-reply-from/releases/tag/v9.6.0
  • https://nvd.nist.gov/vuln/detail/CVE-2023-51701

mcollina published to fastify/fastify-reply-from

Jan 8, 2024

Published by the National Vulnerability Database

Jan 8, 2024

Published to the GitHub Advisory Database

Jan 8, 2024

Reviewed

Jan 8, 2024

Last updated

Jan 8, 2024

ghsa: Latest News

GHSA-76h9-2vwh-w278: Apache MINA Deserialization RCE Vulnerability