CVE-2025-24033 Information

Description

@fastify/multipart is a Fastify plugin for parsing the multipart content-type. Prior to versions 8.3.1 and 9.0.3 the saveRequestFiles function does not delete the uploaded temporary files when user cancels the request. The issue is fixed in versions 8.3.1 and 9.0.3. As a workaround do not use saveRequestFiles.

Reference

https://github.com/fastify/fastify-multipart/issues/546 https://github.com/fastify/fastify-multipart/pull/567 https://github.com/fastify/fastify-multipart/security/advisories/GHSA-27c6-mcxv-x3fh