CVE-2025-24033

Name of the Vulnerable Software and Affected Versions @fastify/multipart versions prior to 8.3.1 and 9.0.3

Description The issue is related to the saveRequestFiles function in the @fastify/multipart plugin for Fastify, which fails to delete uploaded temporary files when a user cancels a request. This can be exploited by a remote attacker to cause a denial of service by sending a specially crafted request. The problem is caused by the incorrect handling of authentication tokens due to unlimited resource allocation.

Recommendations For versions prior to 8.3.1, update to version 8.3.1 or later. For versions prior to 9.0.3, update to version 9.0.3 or later. As a temporary workaround, do not use the saveRequestFiles function until a patch is applied.