Vulnerability Description
fastify is a fast and low overhead web framework, for Node.js. Affected versions of fastify are subject to a denial of service via malicious use of the Content-Type header. An attacker can send an invalid Content-Type header that can cause the application to crash. This issue has been addressed in commit `fbb07e8d` and will be included in release version 4.8.1. Users are advised to upgrade. Users unable to upgrade may manually filter out http content with malicious Content-Type headers.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Fastify | Fastify | < 4.8.1 |
Related Weaknesses (CWE)
References
- https://github.com/fastify/fastify/commit/fbb07e8dfad74c69cd4cd2211aedab87194618PatchThird Party Advisory
- https://github.com/fastify/fastify/security/advisories/GHSA-455w-c45v-86rgMitigationThird Party Advisory
- https://github.com/fastify/fastify/security/policyThird Party Advisory
- https://github.com/fastify/fastify/commit/fbb07e8dfad74c69cd4cd2211aedab87194618PatchThird Party Advisory
- https://github.com/fastify/fastify/security/advisories/GHSA-455w-c45v-86rgMitigationThird Party Advisory
- https://github.com/fastify/fastify/security/policyThird Party Advisory
FAQ
What is CVE-2022-39288?
CVE-2022-39288 is a vulnerability with a CVSS score of 7.5 (HIGH). fastify is a fast and low overhead web framework, for Node.js. Affected versions of fastify are subject to a denial of service via malicious use of the Content-Type header. An attacker can send an inv...
How severe is CVE-2022-39288?
CVE-2022-39288 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-39288?
Check the references section above for vendor advisories and patch information. Affected products include: Fastify Fastify.