OSTIF is proud to share the results of our security audit of Fastify. Fastify is an open source overhead web framework for Node.js, which prioritizes speed while maintaining expansibility and approachability. This audit was possible through the efforts of Ada Logics and the support of the OpenJS Foundation.
Audit Process:
First created for this audit was a detailed threat model of Fastify to help describe and exemplify the dataflow of the project. The threat model includes all major components as well as detailed descriptions of the attack surface and threat actors possible. The audit was scoped to the core Fastify module, as well as 26 others maintained by Fastify. Each of those 27 modules was manually audited by the team at Ada Logics. Additional targeted fuzz testing was performed by reworked Fastify fuzzers to cover different processing methods across a variety of plugins.
Audit Results:
- Threat Model of core Fastify framework
- Manual Audit of 26 core Fastify modules and plugins
- 5 Reported Issues
- 1 High
- 4 Informational
- Calibrated 8 fuzzers
- Integrated Fastify into the OSS-Fuzz project
As a lightweight and streamlined web framework, the Fastify project ideally runs with high efficiently and with as little wasted code or time as possible. A security audit like this is a great practice for cybersecurity as well as a sort of “checkup” for a project, a fine-tuning of the code’s performance and purpose. Audits generate impactful quantitative findings but also result in documentation, insights, and recommendations that inspire future security work as well as strengthen future releases.
Thank you to the individuals and groups that made this engagement possible:
- Fastify maintainers and community- specifically Matteo Collina
- Ada Logics- Sheung (Arthur) Chi Chan, Adam Korczynski, and David Korczynski
- OpenJS Foundation- Ben Sternthal and Robin Ginn
You can read the Audit Report HERE
Everyone around the world depends on open source software. If you’re interested in financially supporting more pivotal research, contact [email protected].