CVE-2025-24033: 
JavaScript vulnerability analysis and mitigation

@fastify/multipart, a Fastify plugin for parsing multipart content-type, was found to have a vulnerability where the saveRequestFiles function does not delete uploaded temporary files when a user cancels the request. This issue was identified and tracked as CVE-2025-24033, affecting versions prior to 8.3.1 and 9.0.3. The vulnerability was discovered on January 23, 2025, and was subsequently fixed in versions 8.3.1 and 9.0.3 (NVD, Red Hat CVE).

The vulnerability stems from improper resource management in the saveRequestFiles function, which is classified as CWE-770 (Allocation of Resources Without Limits or Throttling). The issue has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating that it can be exploited remotely without requiring privileges or user interaction (NVD).

When a user cancels a file upload request, the temporary files created during the upload process remain on the server's disk space. This can lead to disk space exhaustion if multiple cancelled uploads occur, potentially causing a denial of service condition (CISA Bulletin).

As a temporary workaround, users are advised not to use the saveRequestFiles function. For a permanent fix, users should upgrade to versions 8.3.1 or 9.0.3, which properly handle file cleanup when requests are cancelled (NVD).

The vulnerability was actively discussed in the GitHub community, with developers collaborating on a fix through pull request #567. The issue received attention from key maintainers and was addressed promptly, demonstrating the project's commitment to security (GitHub PR).