@fastify/multipart Temporary File Retention Vulnerability on Request Cancellation

A vulnerability exists in the @fastify/multipart plugin, specifically in versions prior to 8.3.1 and 9.0.3. The issue arises in the 'saveRequestFiles' function, which fails to delete temporary files when a user cancels a request. This can lead to an unlimited consumption of resources. The vulnerability can be reproduced by uploading a large file and then canceling the request, after which the file remains undeleted. The problem is exacerbated when the 'saveRequestFiles' function is called, as it does not account for aborted requests.

Impact

This vulnerability can cause a denial-of-service condition by not properly cleaning up temporary files, leading to excessive resource consumption.

Reproduction

To reproduce this vulnerability, upload a large file using the 'saveRequestFiles' function in a Fastify route. While the file is uploading, cancel the request. The temporary file will not be deleted, causing unnecessary resource usage.

Remediation

Users can upgrade to @fastify/multipart versions 8.3.1 or 9.0.3, where this issue is fixed. Alternatively, do not use the 'saveRequestFiles' function.