VulnerableCode Package Details - pkg:npm/fastify@4.10.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-6ht9-gg8u-9qax Aliases: CVE-2026-25224 GHSA-mrq3-vjjr-p77c	Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation. This issue has been patched in version 5.7.3.	5.7.3 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-8p2p-977a-qqb6 Aliases: CVE-2026-25223 GHSA-jx2c-rxcm-jvmq	Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type. This issue has been patched in version 5.7.2.	5.7.2 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-g4ar-bpke-2qc2 Aliases: CVE-2026-3635 GHSA-444r-cwp2-x5xf	Summary When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection — including connections from untrusted IPs. This allows an attacker connecting directly to Fastify (bypassing the proxy) to spoof both the protocol and host seen by the application. Affected Versions fastify <= 5.8.2 Impact Applications using request.protocol or request.host for security decisions (HTTPS enforcement, secure cookie flags, CSRF origin checks, URL construction, host-based routing) are affected when trustProxy is configured with a restrictive trust function. When trustProxy: true (trust everything), both host and protocol trust all forwarded headers — this is expected behavior. The vulnerability only manifests with restrictive trust configurations.	5.8.3 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-6ht9-gg8u-9qax
Aliases:
CVE-2026-25224
GHSA-mrq3-vjjr-p77c

Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation. This issue has been patched in version 5.7.3.

5.7.3
Affected by 3 other vulnerabilities.

VCID-8p2p-977a-qqb6
Aliases:
CVE-2026-25223
GHSA-jx2c-rxcm-jvmq

Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type. This issue has been patched in version 5.7.2.

5.7.2
Affected by 4 other vulnerabilities.

VCID-g4ar-bpke-2qc2
Aliases:
CVE-2026-3635
GHSA-444r-cwp2-x5xf

Summary When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection — including connections from untrusted IPs. This allows an attacker connecting directly to Fastify (bypassing the proxy) to spoof both the protocol and host seen by the application. Affected Versions fastify <= 5.8.2 Impact Applications using request.protocol or request.host for security decisions (HTTPS enforcement, secure cookie flags, CSRF origin checks, URL construction, host-based routing) are affected when trustProxy is configured with a restrictive trust function. When trustProxy: true (trust everything), both host and protocol trust all forwarded headers — this is expected behavior. The vulnerability only manifests with restrictive trust configurations.

5.8.3
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
VCID-gmrs-ecv5-6kgm	Fastify is a web framework with minimal overhead and plugin architecture. The attacker can use the incorrect `Content-Type` to bypass the `Pre-Flight` checking of `fetch`. `fetch()` requests with Content-Type’s essence as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", could potentially be used to invoke routes that only accepts `application/json` content type, thus bypassing any CORS protection, and therefore they could lead to a Cross-Site Request Forgery attack. This issue has been patched in version 4.10.2 and 3.29.4. As a workaround, implement Cross-Site Request Forgery protection using `@fastify/csrf'.	CVE-2022-41919 GHSA-3fjj-p79j-c9hh GMS-2022-6953

Vulnerability

Summary

Aliases

VCID-gmrs-ecv5-6kgm

Fastify is a web framework with minimal overhead and plugin architecture. The attacker can use the incorrect `Content-Type` to bypass the `Pre-Flight` checking of `fetch`. `fetch()` requests with Content-Type’s essence as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", could potentially be used to invoke routes that only accepts `application/json` content type, thus bypassing any CORS protection, and therefore they could lead to a Cross-Site Request Forgery attack. This issue has been patched in version 4.10.2 and 3.29.4. As a workaround, implement Cross-Site Request Forgery protection using `@fastify/csrf'.

CVE-2022-41919
GHSA-3fjj-p79j-c9hh
GMS-2022-6953

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-14T11:55:18.913508+00:00	GitLab Importer	Fixing	VCID-gmrs-ecv5-6kgm	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/fastify/CVE-2022-41919.yml	38.6.0
2026-06-12T21:37:19.491070+00:00	GitLab Importer	Affected by	VCID-g4ar-bpke-2qc2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/fastify/CVE-2026-3635.yml	38.6.0
2026-06-12T20:54:39.192407+00:00	GitLab Importer	Affected by	VCID-6ht9-gg8u-9qax	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/fastify/CVE-2026-25224.yml	38.6.0
2026-06-12T20:54:36.589735+00:00	GitLab Importer	Affected by	VCID-8p2p-977a-qqb6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/fastify/CVE-2026-25223.yml	38.6.0
2026-06-12T08:17:34.263922+00:00	GithubOSV Importer	Fixing	VCID-gmrs-ecv5-6kgm	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-3fjj-p79j-c9hh/GHSA-3fjj-p79j-c9hh.json	38.6.0
2026-06-11T20:33:21.462974+00:00	GHSA Importer	Fixing	VCID-gmrs-ecv5-6kgm	https://github.com/advisories/GHSA-3fjj-p79j-c9hh	38.6.0