Yuki-Matsuhashi

**Name of the Vulnerable Software and Affected Versions** multer versions 2.0.0-alpha.1 through 2.1.1 multer version 3.0.0-alpha.1 **Description** A Denial of Service issue exists when using diskStorage. Aborted or malformed multipart uploads leave orphaned partial files on disk because the `Readable.pipe()` call does not propagate the stream destroy signal to the underlying `fs.WriteStream`. This allows an attacker to exhaust disk space by triggering numerous aborted uploads. **Recommendations** Upgrade to version 2.2.0 for versions 2.0.0-alpha.1 through 2.1.1. Upgrade to version 3.0.0-alpha.2 for version 3.0.0-alpha.1.

**Name of the Vulnerable Software and Affected Versions** @fastify/static versions 8.0.0 through 9.1.0 **Description** Path traversal occurs when directory listing is enabled via the `list` option. The `dirList.path()` function resolves directories outside the configured static root using `path.join()` without a containment check. A remote unauthenticated attacker can obtain directory listings for arbitrary directories accessible to the Node.js process, disclosing directory and file names, although file contents are not disclosed. **Recommendations** Upgrade to version 9.1.1. As a temporary workaround, disable directory listing by removing the `list` option from the plugin configuration.