Search for packages
| purl | pkg:npm/fastify@5.3.2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-13ut-fezt-uuh1
Aliases: CVE-2026-33806 GHSA-247c-9743-5963 |
fastify: Fastify: Schema validation bypass via malformed Content-Type header |
Affected by 0 other vulnerabilities. |
|
VCID-2bqg-g3xd-tyd4
Aliases: CVE-2026-25223 GHSA-jx2c-rxcm-jvmq |
Fastify's Content-Type header tab character allows body validation bypass A validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (`\t`) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type. For example, a request with `Content-Type: application/json\ta` will bypass JSON schema validation but still be parsed as JSON. This vulnerability affects all Fastify users who rely on Content-Type-based body validation schemas to enforce data integrity or security constraints. The concrete impact depends on the handler implementation and the level of trust placed in the validated request body, but at the library level, this allows complete bypass of body validation for any handler using Content-Type-discriminated schemas. This issue is a regression or missed edge case from the fix for a previously reported vulnerability. |
Affected by 4 other vulnerabilities. |
|
VCID-ma3h-te21-ekhk
Aliases: CVE-2026-3635 GHSA-444r-cwp2-x5xf |
fastify: request.protocol and request.host spoofable via X-Forwarded-Proto/Host from untrusted connections when trustProxy uses restrictive trust function |
Affected by 1 other vulnerability. |
|
VCID-zxan-bkya-9kau
Aliases: CVE-2026-25224 GHSA-mrq3-vjjr-p77c |
Fastify Vulnerable to DoS via Unbounded Memory Allocation in sendWebStream A Denial of Service vulnerability in Fastify's Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a `ReadableStream` (or `Response` with a Web Stream body) via `reply.send()` are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation. |
Affected by 3 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-sm6d-f73t-5khc | Fastify vulnerable to invalid content-type parsing, which could lead to validation bypass In applications that specify different validation strategies for different content types, it's possible to bypass the validation by providing a _slightly altered_ content type such as with different casing or altered whitespacing before `;`. Users using the the following pattern are affected: ```js fastify.post('/', { handler(request, reply) { reply.code(200).send(request.body) }, schema: { body: { content: { 'application/json': { schema: { type: 'object', properties: { 'foo': { type: 'string', } }, required: ['foo'] } }, } } } }) ``` User using the following pattern are **not** affected: ```js fastify.post('/', { handler(request, reply) { reply.code(200).send(request.body) }, schema: { body: { type: 'object', properties: { 'foo': { type: 'string', } }, required: ['foo'] } } }) ``` |
CVE-2025-32442
GHSA-mg2h-6x62-wpwc |