AIKIDO-2025-10564
@fastify/busboy is vulnerable to Improper Input Validation
55
Medium Risk
This Affects:
@fastify/busboyTL;DR
Affected versions of this package do not correctly enforce RFC 2183/7578 rules for quoted parameters, so a closing quote in a filename parameter does not terminate parsing as it should. In practice an attacker can supply a header like Content-Disposition: form-data; name="file"; filename="payload.jpg".html and the library will incorrectly yield the filename payload.jpg.html instead of payload.jpg. This bug was fixed in version 3.2.0 by changing the parser to skip any characters after the closing quote until the next semicolon. In other words, the vulnerable versions will “continue to parse characters after” the closing quote, violating the spec. A malicious client could sneak a forbidden extension (like .php or .html) outside the quotes so that an upload filter is fooled or a file is saved with the wrong extension. This could lead to serving a malicious script or enabling XSS if a script file is stored under an allowed name.
Who does this affect?
You are affected if you are using a version of this package = 3.2.0.
Background info
@fastify/busboy is vulnerable to Improper Input Validation in versions 1.0.0 - 3.1.1.
How to fix this
Upgrade the @fastify/busboy library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant