Impact
An attacker can send an invalid Content-Type header that can cause the application to crash, leading to a possible Denial of Service attack. Only the v4.x line is affected.
(This was updated: upon a close inspection, v3.x is not affected after all).
Patches
Yes, update to >v4.8.0.
Workarounds
You can reject the malicious content types before the body parser enters in action.
const badNames = Object.getOwnPropertyNames({}.__proto__)
fastify.addHook('onRequest', async (req, reply) => {
for (const badName of badNames) {
if (req.headers['content-type'].indexOf(badName) > -1) {
reply.code(415)
throw new Error('Content type not supported')
}
}
})References
See the HackerOne report #1715536.
For more information
Fastify security policy
Impact
An attacker can send an invalid
Content-Typeheader that can cause the application to crash, leading to a possible Denial of Service attack. Only the v4.x line is affected.(This was updated: upon a close inspection, v3.x is not affected after all).
Patches
Yes, update to
>v4.8.0.Workarounds
You can reject the malicious content types before the body parser enters in action.
References
See the HackerOne report #1715536.
For more information
Fastify security policy