CVE-2025-24033

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-24033

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-24033.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-24033

Aliases

GHSA-27c6-mcxv-x3fh

Published

2025-01-23T17:40:56Z

Modified

2025-10-17T23:31:00.285928Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

@fastify/multipart vulnerable to unlimited consumption of resources

Details

@fastify/multipart is a Fastify plugin for parsing the multipart content-type. Prior to versions 8.3.1 and 9.0.3, the saveRequestFiles function does not delete the uploaded temporary files when user cancels the request. The issue is fixed in versions 8.3.1 and 9.0.3. As a workaround, do not use saveRequestFiles.

References

Affected packages

Git / github.com/fastify/fastify-multipart

Affected ranges

Type: GIT
Repo: https://github.com/fastify/fastify-multipart
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

f58f774a1bd4f19655de21f47964711358eab20e

Type: GIT
Repo: https://github.com/fastify/fastify-multipart
Events: Introduced

b313002f1869b8df2770dc4a435d51564c5cd7b9

Fixed

a75d0d7b1ef0924458641c0fa8ec3f4faa454c39

Affected versions

4.*

4.0.7

5.*

5.2.0

v0.*

v0.1.0

v0.2.0

v0.3.0

v0.4.0

v0.4.1

v0.5.0

v0.5.1

v0.6.0

v0.7.0

v0.8.0

v0.8.1

v0.8.2

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.0.3

v1.0.4

v1.0.5

v1.0.6

v2.*

v2.0.0

v2.0.1

v2.0.2

v2.0.3

v3.*

v3.0.0

v3.1.0

v3.2.0

v3.2.1

v3.3.0

v3.3.1

v4.*

v4.0.0

v4.0.1

v4.0.2

v4.0.3

v4.0.4

v4.0.5

v4.0.6

v5.*

v5.0.0

v5.0.1

v5.0.2

v5.1.0

v5.2.1

v5.3.0

v5.3.1

v6.*

v6.0.0

v7.*

v7.0.0

v7.1.0

v7.1.1

v7.1.2

v7.2.0

v7.3.0

v7.4.0

v7.4.1

v7.4.2

v7.5.0

v7.6.0

v7.6.1

v7.7.0

v7.7.1

v7.7.2

v7.7.3

v8.*

v8.0.0

v8.1.0

v8.2.0

v8.3.0

v9.*

v9.0.0

v9.0.1

v9.0.2