CVE-2025-24033
Published: 23 January 2025
Summary
CVE-2025-24033 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique OS Exhaustion Flood (T1499.001); ranked in the top 48.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly addresses the vulnerability by requiring timely patching of the @fastify/multipart plugin to versions 8.3.1 or 9.0.3, preventing temporary file accumulation and DoS.
Denial-of-service protection implements mechanisms to limit resource exhaustion attacks, such as repeated multipart request cancellations that fill disk space with undeleted temporary files.
Resource availability protects critical storage resources from depletion by enforcing limits and protections against filesystem exhaustion caused by uncleared temporary files.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables disk space exhaustion via uncleansed temp files from canceled multipart uploads, directly facilitating OS resource exhaustion for Endpoint DoS.
NVD Description
@fastify/multipart is a Fastify plugin for parsing the multipart content-type. Prior to versions 8.3.1 and 9.0.3, the `saveRequestFiles` function does not delete the uploaded temporary files when user cancels the request. The issue is fixed in versions 8.3.1 and 9.0.3.…
more
As a workaround, do not use `saveRequestFiles`.
Deeper analysisAI
CVE-2025-24033 affects the @fastify/multipart plugin for Fastify, which handles parsing of multipart content-type requests. In versions prior to 8.3.1 and 9.0.3, the saveRequestFiles function fails to delete uploaded temporary files when a user cancels the request, leading to accumulation of these files on the filesystem. This vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high availability impact with no confidentiality or integrity effects.
Attackers can exploit this remotely over the network with low complexity and no privileges or user interaction required. By sending multipart requests and canceling them mid-upload, unauthenticated attackers can repeatedly trigger the creation of temporary files without cleanup, potentially exhausting disk space and causing denial-of-service on the affected server.
Mitigation is available through upgrading to fixed versions 8.3.1 or 9.0.3 of @fastify/multipart. As a workaround, applications should avoid using the saveRequestFiles function. Details are documented in the GitHub security advisory (GHSA-27c6-mcxv-x3fh), issue tracker (#546), and pull request (#567).
Details
- CWE(s)