CVE-2022-39288 - OpenCVE

fastify is a fast and low overhead web framework, for Node.js. Affected versions of fastify are subject to a denial of service via malicious use of the Content-Type header. An attacker can send an invalid Content-Type header that can cause the application to crash. This issue has been addressed in commit `fbb07e8d` and will be included in release version 4.8.1. Users are advised to upgrade. Users unable to upgrade may manually filter out http content with malicious Content-Type headers.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Fastify	Fastify

Configuration 1 [-]

cpe:2.3:a:fastify:fastify:*:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://github.com/fastify/fastify/commit/fbb07e8dfad74c69cd4cd2211aedab87194618e3
https://github.com/fastify/fastify/security/advisories/GHSA-455w-c45v-86rg
https://github.com/fastify/fastify/security/policy

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-10-10T00:00:00

Updated: 2024-08-03T12:00:43.799Z

Reserved: 2022-09-02T00:00:00

Link: CVE-2022-39288

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-10-10T21:15:11.300

Modified: 2022-10-12T18:15:46.940

Link: CVE-2022-39288

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-39288", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "dateUpdated": "2024-08-03T12:00:43.799Z", "dateReserved": "2022-09-02T00:00:00", "datePublished": "2022-10-10T00:00:00"}, "containers": {"cna": {"title": "Denial of service in Fastify via Content-Type header", "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-10-10T00:00:00"}, "descriptions": [{"lang": "en", "value": "fastify is a fast and low overhead web framework, for Node.js. Affected versions of fastify are subject to a denial of service via malicious use of the Content-Type header. An attacker can send an invalid Content-Type header that can cause the application to crash. This issue has been addressed in commit `fbb07e8d` and will be included in release version 4.8.1. Users are advised to upgrade. Users unable to upgrade may manually filter out http content with malicious Content-Type headers."}], "affected": [{"vendor": "fastify", "product": "fastify", "versions": [{"version": ">= 4.0.0, < 4.8.1", "status": "affected"}]}], "references": [{"url": "https://github.com/fastify/fastify/security/advisories/GHSA-455w-c45v-86rg"}, {"url": "https://github.com/fastify/fastify/commit/fbb07e8dfad74c69cd4cd2211aedab87194618e3"}, {"url": "https://github.com/fastify/fastify/security/policy"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-754: Improper Check for Unusual or Exceptional Conditions", "cweId": "CWE-754"}]}], "source": {"advisory": "GHSA-455w-c45v-86rg", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:00:43.799Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/fastify/fastify/security/advisories/GHSA-455w-c45v-86rg", "tags": ["x_transferred"]}, {"url": "https://github.com/fastify/fastify/commit/fbb07e8dfad74c69cd4cd2211aedab87194618e3", "tags": ["x_transferred"]}, {"url": "https://github.com/fastify/fastify/security/policy", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fastify:fastify:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "807CA7E6-76C5-4960-A3FE-1D3A9340CABB", "versionEndExcluding": "4.8.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "fastify is a fast and low overhead web framework, for Node.js. Affected versions of fastify are subject to a denial of service via malicious use of the Content-Type header. An attacker can send an invalid Content-Type header that can cause the application to crash. This issue has been addressed in commit `fbb07e8d` and will be included in release version 4.8.1. Users are advised to upgrade. Users unable to upgrade may manually filter out http content with malicious Content-Type headers."}, {"lang": "es", "value": "fastify es un framework web r\u00e1pido y de baja sobrecarga, para Node.js. Las versiones afectadas de fastify est\u00e1n sujetas a una denegaci\u00f3n de servicio por medio del uso malicioso del encabezado Content-Type. Un atacante puede enviar un encabezado Content-Type no v\u00e1lida que puede causar el bloqueo de la aplicaci\u00f3n. Este problema ha sido abordado en el commit \"fbb07e8d\" y ser\u00e1 incluido en versi\u00f3n 4.8.1. Es recomendado a usuarios actualizar. Los usuarios que no puedan actualizar pueden filtrar manualmente el contenido http con encabezados Content-Type maliciosos"}], "id": "CVE-2022-39288", "lastModified": "2022-10-12T18:15:46.940", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-10-10T21:15:11.300", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/fastify/fastify/commit/fbb07e8dfad74c69cd4cd2211aedab87194618e3"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://github.com/fastify/fastify/security/advisories/GHSA-455w-c45v-86rg"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/fastify/fastify/security/policy"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-754"}], "source": "security-advisories@github.com", "type": "Primary"}]}