Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security alert: Busboy can crash on manipulated multipart/form-data header names #250

Closed
RolandHeinze opened this issue Aug 5, 2021 · 2 comments
Closed

Security alert: Busboy can crash on manipulated multipart/form-data header names #250

RolandHeinze opened this issue Aug 5, 2021 · 2 comments

Comments

@RolandHeinze
Copy link

I already wrote a PR for this problem. which is actually a problem of Dicer which busboy uses. For more information see mscdex/dicer#22.
@srosset81 srosset81 mentioned this issue Aug 9, 2021
Closed
maxpoulin64 added a commit to maxpoulin64/thelounge that referenced this issue Dec 5, 2021
@maxpoulin64
Switch busboy implementation to @fastify/busboy
2c2dd1c 
I've been notified the current implementation is abandonned and has been forked by fastify to fix bugs, including some crashes and hangs:
See:
* mscdex/busboy#250
* mscdex/dicer#22
* mscdex/dicer#25
@maxpoulin64 maxpoulin64 mentioned this issue Dec 5, 2021
Merged
@kibertoad
Copy link

This was fixed in https://github.com/fastify/busboy

@mscdex
Copy link
Owner

mscdex commented Dec 19, 2021

This should be fixed in v1.0.0.

@mscdex mscdex closed this as completed Dec 19, 2021
@justinnitz justinnitz mentioned this issue May 19, 2022
Closed
@TheKingTermux TheKingTermux mentioned this issue Jun 23, 2022
Closed
4 tasks
@f3lin-mntm f3lin-mntm mentioned this issue Jun 28, 2022
Closed
This was referenced Jul 5, 2022
Open
Open
@github-actions github-actions bot mentioned this issue Aug 1, 2022
Open
@bytebrain bytebrain mentioned this issue Oct 4, 2022
Closed
sgammon added a commit to sgammon/axios-fetch that referenced this issue Dec 19, 2022
@sgammon
fix: pin multer -> 1.4.4-lts.1 to mitigate GHSA-wm7h-9275-46v2
8f53532 
Severity:
High

References:
CVE-2022-24434
SNYK-JS-DICER-2311764
mscdex/busboy#250
mscdex/dicer#22

Notes:
Only used during test anyway.
sgammon added a commit to sgammon/axios-fetch that referenced this issue Dec 19, 2022
@sgammon
fix: pin multer -> 1.4.4-lts.1 to mitigate GHSA-wm7h-9275-46v2
3caf395 
Severity:
High

References:
CVE-2022-24434
SNYK-JS-DICER-2311764
mscdex/busboy#250
mscdex/dicer#22

Notes:
Only used during test anyway.
sgammon added a commit to sgammon/axios-fetch that referenced this issue Dec 19, 2022
@sgammon
fix: pin multer -> 1.4.4-lts.1 to mitigate GHSA-wm7h-9275-46v2
204800e 
Severity:
High

References:
CVE-2022-24434
SNYK-JS-DICER-2311764
mscdex/busboy#250
mscdex/dicer#22

Notes:
Only used during test anyway.
@github-actions github-actions bot mentioned this issue Apr 4, 2023
Open
@github-actions github-actions bot mentioned this issue Jun 6, 2024
Open
@Niharika0104 Niharika0104 mentioned this issue Dec 21, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mscdex @kibertoad @RolandHeinze