Description

A denial of service vulnerability exists in Fastify v2.14.1 and v3.0.0-rc.4 that allows a malicious user to trigger resource exhaustion (when the allErrors option is used) with specially crafted schemas.

Remediation

References

https://hackerone.com/reports/903521

Related Vulnerabilities

CVE-2022-35278 Vulnerability in maven package org.apache.activemq:artemis-web

CVE-2020-17480 Vulnerability in npm package tinymce

CVE-2020-13942 Vulnerability in maven package org.apache.unomi:unomi-common

CVE-2019-18350 Vulnerability in npm package ant-design-pro

CVE-2020-11023 Vulnerability in maven package org.webjars.bowergithub.jquery:jquery

Severity

High

Classification

CWE-400 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Tags

Exploit Third Party Advisory