First published: Thu Jan 23 2025(Updated: )
### Impact The `saveRequestFiles` function does not delete the uploaded temporary files when user cancels the request. ### Patches Fixed in version 8.3.1 and 9.0.3 ### Workarounds Do not use `saveRequestFiles`. ### References This was identified in https://github.com/fastify/fastify-multipart/issues/546 and fixed in https://github.com/fastify/fastify-multipart/pull/567.
Affected Software | Affected Version | How to fix |
---|---|---|
npm/@fastify/multipart | >=9.0.0<9.0.3 | 9.0.3 |
npm/@fastify/multipart | <=8.3.0 | 8.3.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of GHSA-27c6-mcxv-x3fh is considered to be moderate due to the potential for lingering temporary files.
To fix GHSA-27c6-mcxv-x3fh, upgrade to version 8.3.1 or 9.0.3 of the @fastify/multipart package.
The impact of GHSA-27c6-mcxv-x3fh is that the saveRequestFiles function fails to delete uploaded temporary files when a user cancels a request.
Yes, it is recommended to avoid using saveRequestFiles until you can upgrade to the patched versions due to GHSA-27c6-mcxv-x3fh.
Versions up to 8.3.0 and 9.0.0 of @fastify/multipart are affected by GHSA-27c6-mcxv-x3fh.