CVE-2022-39288 Fastify is a low overhead Node.js framework. Malicious use of the Content-Type header can be used to deny service.

An attacker can send an invalid Content-Type header that can cause the application to crash. This issue has been addressed in commit `fbb07e8d` and will be included in release version 4.8.1. Users are advised to upgrade. Users unable to upgrade may manually filter out http content with malicious Content-Type headers. fastify is a fast and low overhead web framework, for Node.js. fastify is subject to a denial of service via malicious use of requireJS. Affected versions of fastify are subject to a denial of service via malicious use of the Content-Type header. An attacker can send an invalid Content-Type header that can cause the application to crash. This issue has been addressed in commit `1b7a9b37` and will be included in release version 4.8.1. Users are advised to upgrade. Users unable to upgrade may manually filter out http content with malicious Content-Type headers. fastify is a fast and low overhead web framework, for Node.js. fastify is subject to a denial of service via malicious use of requireJS. Affected versions of fastify are subject to a denial of service via malicious use of the Content-Type header. An attacker can send an invalid Content-Type header that can cause the application to crash. This issue has been addressed in commit `1b7a9b37` and will be included in release version 4.8.1. Users are advised to

CVE-2017-7585

An attacker can send an out of range Content-Length header which can cause the application to crash. This issue has been addressed in commit `4f7b8e81` and will be included in release version 4.8.1. Users are advised to upgrade. Users unable to upgrade may manually filter out http content with malicious Content-Length headers. fastify is a fast and low overhead web framework, for Node.js. fastify is subject to a denial of service via malicious use of requireJS. Affected versions of fastify are subject to a denial of service via malicious use of the Content-Length header. An attacker can send an out of range Content-Length header which can cause the application to crash. This issue has been addressed in commit `e0ca3d85` and will be included in release version 4.8.1. Users are advised to upgrade. Users unable to upgrade may manually filter out http content with malicious Content-Length headers. fastify is a fast and low overhead web framework, for Node.js

Timeline

Published on: 10/10/2022 21:15:00 UTC
Last modified on: 10/12/2022 18:15:00 UTC

References

• https://github.com/fastify/fastify/security/advisories/GHSA-455w-c45v-86rg
• https://github.com/fastify/fastify/security/policy
• https://github.com/fastify/fastify/commit/fbb07e8dfad74c69cd4cd2211aedab87194618e3
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-39288