March 10, 20200 mins read
On April 9th Francesco Soncina — also known as
This security report was eventually deemed relatively harmless since it doesn’t affect Fastify by itself. This happened because the JSON schema is provided by the user as an application configuration item and thus is regarded as a trusted input.
Nonetheless, it is interesting, but also critical, to highlight the importance of such security reports, whether they end up as a verified CVE security bug or not.
In this case, in particular, the security discussion throughout the report revolves around an ongoing debate between Fastify’s maintainer and the security researcher who disclosed it. The collaborative effort and determination from Collina and Soncina, is quite fascinating. Their effort focuses on flushing out all possible security sinks in the JSON rendering logic in order to make it as fault-tolerant as possible to security issues that may crawl up.
Most interestingly, this security vulnerability report led to:
A more robust and secure JSON parsing in
fast-json-stringifythat manifests through this pull request on GitHub and its follow-up official release in version 1.15.3.
A security disclaimer in the documentation that clearly states the concerns and areas of risk so that users of the library will be well-informed on how to handle data. It was introduced through this pull request.
As I was wrapping up this report and preparing it for disclosure, it became clear to me that we should be doing more to recognize the value of security disclosures. Although the reported issue didn’t directly impact Fastify or
fast-json-stringify,it sparked a meaningful discussion. Most importantly, it promoted awareness among maintainers of security concerns around their code.