CVE-2025-24033
HIGHfastify/multipart < 8.3.1 and 9.0.0-9.0.3 - Resource Exhaustion via Uncleaned Temporary Files
Title source: llmDescription
@fastify/multipart is a Fastify plugin for parsing the multipart content-type. Prior to versions 8.3.1 and 9.0.3, the `saveRequestFiles` function does not delete the uploaded temporary files when user cancels the request. The issue is fixed in versions 8.3.1 and 9.0.3. As a workaround, do not use `saveRequestFiles`.
References (3)
Core 3
Core References
Issue Tracking x_refsource_misc
https://github.com/fastify/fastify-multipart/issues/546
Issue Tracking x_refsource_misc
https://github.com/fastify/fastify-multipart/pull/567
Vendor Advisory x_refsource_confirm
https://github.com/fastify/fastify-multipart/security/advisories/GHSA-27c6-mcxv-x3fh
Scores
CVSS v3
7.5
EPSS
0.0053
EPSS Percentile
40.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-770
Status
published
Products (3)
fastify/fastify-multipart
< 8.3.1
fastify/fastify-multipart
>= 9.0.0, < 9.0.3
fastify/multipart
0 - 8.3.1npm
Published
Jan 23, 2025
Tracked Since
Feb 18, 2026