Search for packages
| purl | pkg:npm/fastify@5.8.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-64tj-czqk-gyf1
Aliases: CVE-2026-33806 GHSA-247c-9743-5963 |
Impact: Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped. This is a regression introduced in fastify >= 5.3.2 by the fix for CVE-2025-32442 Patches: Upgrade to fastify v5.8.5 or later. Workarounds: None. Upgrade to the patched version. |
Affected by 0 other vulnerabilities. |
|
VCID-g4ar-bpke-2qc2
Aliases: CVE-2026-3635 GHSA-444r-cwp2-x5xf |
Summary When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection — including connections from untrusted IPs. This allows an attacker connecting directly to Fastify (bypassing the proxy) to spoof both the protocol and host seen by the application. Affected Versions fastify <= 5.8.2 Impact Applications using request.protocol or request.host for security decisions (HTTPS enforcement, secure cookie flags, CSRF origin checks, URL construction, host-based routing) are affected when trustProxy is configured with a restrictive trust function. When trustProxy: true (trust everything), both host and protocol trust all forwarded headers — this is expected behavior. The vulnerability only manifests with restrictive trust configurations. |
Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-mjfs-h1jx-2yar | Fastify incorrectly accepts malformed `Content-Type` headers containing trailing characters after the subtype token, in violation of RFC 9110 §8.3.1(https://httpwg.org/specs/rfc9110.html#field.content-type). For example, a request sent with Content-Type: application/json garbage passes validation and is processed normally, rather than being rejected with 415 Unsupported Media Type. When regex-based content-type parsers are in use (a documented Fastify feature), the malformed value is matched against registered parsers using the full string including the trailing garbage. This means a request with an invalid content-type may be routed to and processed by a parser it should never have reached. Impact: An attacker can send requests with RFC-invalid Content-Type headers that bypass validity checks, reach content-type parser matching, and be processed by the server. Requests that should be rejected at the validation stage are instead handled as if the content-type were valid. Workarounds: Deploy a WAF rule to protect against this Fix: The fix is available starting with v5.8.1. |
CVE-2026-3419
GHSA-573f-x89g-hqp9 |
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-12T22:05:37.754384+00:00 | GitLab Importer | Affected by | VCID-64tj-czqk-gyf1 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/fastify/CVE-2026-33806.yml | 38.6.0 |
| 2026-06-12T21:37:19.742706+00:00 | GitLab Importer | Affected by | VCID-g4ar-bpke-2qc2 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/fastify/CVE-2026-3635.yml | 38.6.0 |
| 2026-06-12T15:51:07.882969+00:00 | GitLab Importer | Fixing | VCID-mjfs-h1jx-2yar | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/fastify/CVE-2026-3419.yml | 38.6.0 |
| 2026-06-12T07:49:55.908006+00:00 | GithubOSV Importer | Fixing | VCID-mjfs-h1jx-2yar | https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-573f-x89g-hqp9/GHSA-573f-x89g-hqp9.json | 38.6.0 |
| 2026-06-11T20:38:30.705130+00:00 | GHSA Importer | Fixing | VCID-mjfs-h1jx-2yar | https://github.com/advisories/GHSA-573f-x89g-hqp9 | 38.6.0 |