High severity7.5NVD Advisory· Published Jan 23, 2025· Updated Apr 15, 2026

CVE-2025-24033

Description

@fastify/multipart is a Fastify plugin for parsing the multipart content-type. Prior to versions 8.3.1 and 9.0.3, the saveRequestFiles function does not delete the uploaded temporary files when user cancels the request. The issue is fixed in versions 8.3.1 and 9.0.3. As a workaround, do not use saveRequestFiles.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
@fastify/multipartnpm	< 8.3.1	8.3.1
@fastify/multipartnpm	>= 9.0.0, < 9.0.3	9.0.3

Patches

f58f774a1bd4

https://github.com/fastify/fastify-multipartvia osv

a75d0d7b1ef0

https://github.com/fastify/fastify-multipartvia osv

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-27c6-mcxv-x3fhghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-24033ghsaADVISORY
github.com/fastify/fastify-multipart/issues/546nvdWEB
github.com/fastify/fastify-multipart/pull/567nvdWEB
github.com/fastify/fastify-multipart/security/advisories/GHSA-27c6-mcxv-x3fhnvdWEB

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000