Impact
An attacker can send an invalid Content-Type header that can cause the application to crash, leading to a possible Denial of Service attack. Only the v4.x line is affected.
(This was updated: upon a close inspection, v3.x is not affected after all).
Patches
Yes, update to > v4.8.0.
Workarounds
You can reject the malicious content types before the body parser enters in action.
const badNames = Object.getOwnPropertyNames({}.__proto__)
fastify.addHook('onRequest', async (req, reply) => {
for (const badName of badNames) {
if (req.headers['content-type'].indexOf(badName) > -1) {
reply.code(415)
throw new Error('Content type not supported')
}
}
})
References
See the HackerOne report #1715536
For more information
References
- https://github.com/fastify/fastify/security/advisories/GHSA-455w-c45v-86rg
- https://nvd.nist.gov/vuln/detail/CVE-2022-39288
- https://github.com/fastify/fastify/commit/fbb07e8dfad74c69cd4cd2211aedab87194618e3
- https://github.com/fastify/fastify/security/policy
- https://hackerone.com/bugs?report_id=1715536&subject=fastify
- https://github.com/advisories/GHSA-455w-c45v-86rg