CVE-2025-24033

CVE-2025-24033 affects the @fastify/multipart plugin for Fastify, which handles parsing of multipart content-type requests. In versions prior to 8.3.1 and 9.0.3, the saveRequestFiles function fails to delete uploaded temporary files when a user cancels the request, leading to accumulation of these files on the filesystem. This vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high availability impact with no confidentiality or integrity effects.

Attackers can exploit this remotely over the network with low complexity and no privileges or user interaction required. By sending multipart requests and canceling them mid-upload, unauthenticated attackers can repeatedly trigger the creation of temporary files without cleanup, potentially exhausting disk space and causing denial-of-service on the affected server.

Mitigation is available through upgrading to fixed versions 8.3.1 or 9.0.3 of @fastify/multipart. As a workaround, applications should avoid using the saveRequestFiles function. Details are documented in the GitHub security advisory (GHSA-27c6-mcxv-x3fh), issue tracker (#546), and pull request (#567).