Search for packages
| purl | pkg:npm/fastify@5.7.2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-13ut-fezt-uuh1
Aliases: CVE-2026-33806 GHSA-247c-9743-5963 |
fastify: Fastify: Schema validation bypass via malformed Content-Type header |
Affected by 0 other vulnerabilities. |
|
VCID-ma3h-te21-ekhk
Aliases: CVE-2026-3635 GHSA-444r-cwp2-x5xf |
fastify: request.protocol and request.host spoofable via X-Forwarded-Proto/Host from untrusted connections when trustProxy uses restrictive trust function |
Affected by 1 other vulnerability. |
|
VCID-sg2c-d386-d7dk
Aliases: CVE-2026-3419 GHSA-573f-x89g-hqp9 |
Fastify's Missing End Anchor in "subtypeNameReg" Allows Malformed Content-Types to Pass Validation Fastify incorrectly accepts malformed `Content-Type` headers containing trailing characters after the subtype token, in violation of [RFC 9110 §8.3.1](https://httpwg.org/specs/rfc9110.html#field.content-type). For example, a request sent with `Content-Type: application/json garbage` passes validation and is processed normally, rather than being rejected with `415 Unsupported Media Type`. When regex-based content-type parsers are in use (a documented Fastify feature), the malformed value is matched against registered parsers using the full string including the trailing garbage. This means a request with an invalid content-type may be routed to and processed by a parser it should never have reached. |
Affected by 2 other vulnerabilities. |
|
VCID-zxan-bkya-9kau
Aliases: CVE-2026-25224 GHSA-mrq3-vjjr-p77c |
Fastify Vulnerable to DoS via Unbounded Memory Allocation in sendWebStream A Denial of Service vulnerability in Fastify's Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a `ReadableStream` (or `Response` with a Web Stream body) via `reply.send()` are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation. |
Affected by 3 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-2bqg-g3xd-tyd4 | Fastify's Content-Type header tab character allows body validation bypass A validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (`\t`) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type. For example, a request with `Content-Type: application/json\ta` will bypass JSON schema validation but still be parsed as JSON. This vulnerability affects all Fastify users who rely on Content-Type-based body validation schemas to enforce data integrity or security constraints. The concrete impact depends on the handler implementation and the level of trust placed in the validated request body, but at the library level, this allows complete bypass of body validation for any handler using Content-Type-discriminated schemas. This issue is a regression or missed edge case from the fix for a previously reported vulnerability. |
CVE-2026-25223
GHSA-jx2c-rxcm-jvmq |