CVE-2020-8192
Denial of Service vulnerability in fastify (npm)

Denial of Service No known exploit

What is CVE-2020-8192 About?

This denial of service vulnerability in Fastify allows a malicious user to trigger resource exhaustion through specially crafted schemas when the 'allErrors' option is enabled. The impact is a potential shutdown or unresponsive state for the affected service. Exploitation is relatively easy for an attacker with knowledge of the system's schema processing.

Affected Software

fastify <2.15.1

Technical Details

The vulnerability arises in Fastify versions v2.14.1 and v3.0.0-rc.4 when the 'allErrors' option is utilized. An attacker can craft a malicious schema that, when processed by Fastify, consumes excessive system resources (CPU, memory), leading to resource exhaustion. This is due to inefficient error handling or schema validation processes when 'allErrors' is active, causing the application to become unresponsive or crash. The attack vector involves submitting requests with these specially crafted schemas to the vulnerable Fastify instance.

What is the Impact of CVE-2020-8192?

Successful exploitation may allow attackers to disrupt service availability, leading to a denial of service for legitimate users.

What is the Exploitability of CVE-2020-8192?

Exploitation of this vulnerability is of moderate complexity, requiring specific knowledge of Fastify's schema processing and the 'allErrors' option. There are no explicit authentication or privilege requirements to trigger the vulnerability, making it accessible to unauthenticated attackers. The attack is remote, as it involves sending crafted requests to the server. The primary condition for successful exploitation is that the Fastify application must be configured with the 'allErrors' option enabled. A higher likelihood of exploitation exists in applications that process user-supplied or untrusted schemas without proper validation or resource limits.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2020-8192?

Available Upgrade Options

  • fastify
    • <2.15.1 → Upgrade to 2.15.1

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2020-8192?

Similar Vulnerabilities: CVE-2021-3807 , CVE-2023-39325 , CVE-2023-4581 , CVE-2022-24757 , CVE-2022-2900

All Rights reserved 2025
Privacy Policy