VulnerableCode Package Details - pkg:npm/fastify@5.7.3

Search for packages

Vulnerability	Summary	Fixed by
VCID-13ut-fezt-uuh1 Aliases: CVE-2026-33806 GHSA-247c-9743-5963	fastify: Fastify: Schema validation bypass via malformed Content-Type header	5.8.5 Affected by 0 other vulnerabilities.
VCID-ma3h-te21-ekhk Aliases: CVE-2026-3635 GHSA-444r-cwp2-x5xf	fastify: request.protocol and request.host spoofable via X-Forwarded-Proto/Host from untrusted connections when trustProxy uses restrictive trust function	5.8.3 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-sg2c-d386-d7dk Aliases: CVE-2026-3419 GHSA-573f-x89g-hqp9	Fastify's Missing End Anchor in "subtypeNameReg" Allows Malformed Content-Types to Pass Validation Fastify incorrectly accepts malformed `Content-Type` headers containing trailing characters after the subtype token, in violation of [RFC 9110 §8.3.1](https://httpwg.org/specs/rfc9110.html#field.content-type). For example, a request sent with `Content-Type: application/json garbage` passes validation and is processed normally, rather than being rejected with `415 Unsupported Media Type`. When regex-based content-type parsers are in use (a documented Fastify feature), the malformed value is matched against registered parsers using the full string including the trailing garbage. This means a request with an invalid content-type may be routed to and processed by a parser it should never have reached.	5.8.1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-13ut-fezt-uuh1
Aliases:
CVE-2026-33806
GHSA-247c-9743-5963

fastify: Fastify: Schema validation bypass via malformed Content-Type header

5.8.5
Affected by 0 other vulnerabilities.

VCID-ma3h-te21-ekhk
Aliases:
CVE-2026-3635
GHSA-444r-cwp2-x5xf

fastify: request.protocol and request.host spoofable via X-Forwarded-Proto/Host from untrusted connections when trustProxy uses restrictive trust function

5.8.3
Affected by 1 other vulnerability.

VCID-sg2c-d386-d7dk
Aliases:
CVE-2026-3419
GHSA-573f-x89g-hqp9

Fastify's Missing End Anchor in "subtypeNameReg" Allows Malformed Content-Types to Pass Validation Fastify incorrectly accepts malformed `Content-Type` headers containing trailing characters after the subtype token, in violation of [RFC 9110 §8.3.1](https://httpwg.org/specs/rfc9110.html#field.content-type). For example, a request sent with `Content-Type: application/json garbage` passes validation and is processed normally, rather than being rejected with `415 Unsupported Media Type`. When regex-based content-type parsers are in use (a documented Fastify feature), the malformed value is matched against registered parsers using the full string including the trailing garbage. This means a request with an invalid content-type may be routed to and processed by a parser it should never have reached.

5.8.1
Affected by 2 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-zxan-bkya-9kau	Fastify Vulnerable to DoS via Unbounded Memory Allocation in sendWebStream A Denial of Service vulnerability in Fastify's Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a `ReadableStream` (or `Response` with a Web Stream body) via `reply.send()` are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation.	CVE-2026-25224 GHSA-mrq3-vjjr-p77c

Vulnerability

Summary

Aliases

VCID-zxan-bkya-9kau

Fastify Vulnerable to DoS via Unbounded Memory Allocation in sendWebStream A Denial of Service vulnerability in Fastify's Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a `ReadableStream` (or `Response` with a Web Stream body) via `reply.send()` are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation.

CVE-2026-25224
GHSA-mrq3-vjjr-p77c

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T08:04:41.067819+00:00	GitLab Importer	Affected by	VCID-13ut-fezt-uuh1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/fastify/CVE-2026-33806.yml	38.6.0
2026-06-06T07:34:56.503828+00:00	GitLab Importer	Affected by	VCID-ma3h-te21-ekhk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/fastify/CVE-2026-3635.yml	38.6.0
2026-06-06T07:13:55.231925+00:00	GitLab Importer	Affected by	VCID-sg2c-d386-d7dk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/fastify/CVE-2026-3419.yml	38.6.0
2026-06-05T21:57:45.718646+00:00	GHSA Importer	Fixing	VCID-zxan-bkya-9kau	https://github.com/advisories/GHSA-mrq3-vjjr-p77c	38.6.0
2026-06-04T16:54:58.176964+00:00	GithubOSV Importer	Fixing	VCID-zxan-bkya-9kau	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-mrq3-vjjr-p77c/GHSA-mrq3-vjjr-p77c.json	38.6.0
2026-06-02T04:49:52.312254+00:00	GitLab Importer	Fixing	VCID-zxan-bkya-9kau	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/fastify/CVE-2026-25224.yml	38.6.0