{"url":"http://public2.vulnerablecode.io/api/packages/376528?format=json","purl":"pkg:npm/fastify@5.3.2","type":"npm","namespace":"","name":"fastify","version":"5.3.2","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"5.8.5","latest_non_vulnerable_version":"5.8.5","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78314?format=json","vulnerability_id":"VCID-64tj-czqk-gyf1","summary":"Impact:\n\nFastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped.\n\nThis is a regression introduced in fastify >= 5.3.2 by the fix for CVE-2025-32442\n\nPatches:\n\nUpgrade to fastify v5.8.5 or later.\n\nWorkarounds:\n\nNone. Upgrade to the patched version.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33806.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33806.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33806","reference_id":"","reference_type":"","scores":[{"value":"0.00107","scoring_system":"epss","scoring_elements":"0.28366","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33806"},{"reference_url":"https://github.com/fastify/fastify","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/fastify/fastify"},{"reference_url":"https://github.com/fastify/fastify/releases/tag/v5.8.5","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/fastify/fastify/releases/tag/v5.8.5"},{"reference_url":"https://github.com/fastify/fastify/security/advisories/GHSA-247c-9743-5963","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/fastify/fastify/security/advisories/GHSA-247c-9743-5963"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32442","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32442"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33806","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33806"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2458596","reference_id":"2458596","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2458596"},{"reference_url":"https://github.com/advisories/GHSA-247c-9743-5963","reference_id":"GHSA-247c-9743-5963","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-247c-9743-5963"},{"reference_url":"https://github.com/fastify/fastify/security/advisories/GHSA-mg2h-6x62-wpwc","reference_id":"GHSA-mg2h-6x62-wpwc","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-15T14:02:12Z/"}],"url":"https://github.com/fastify/fastify/security/advisories/GHSA-mg2h-6x62-wpwc"},{"reference_url":"https://cna.openjsf.org/security-advisories.html","reference_id":"security-advisories.html","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-15T14:02:12Z/"}],"url":"https://cna.openjsf.org/security-advisories.html"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373417?format=json","purl":"pkg:npm/fastify@5.8.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/fastify@5.8.5"}],"aliases":["CVE-2026-33806","GHSA-247c-9743-5963"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-64tj-czqk-gyf1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66190?format=json","vulnerability_id":"VCID-6ht9-gg8u-9qax","summary":"Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation. This issue has been patched in version 5.7.3.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25224.json","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25224.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25224","reference_id":"","reference_type":"","scores":[{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.0568","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25224"},{"reference_url":"https://github.com/fastify/fastify","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/fastify/fastify"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2436557","reference_id":"2436557","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2436557"},{"reference_url":"https://hackerone.com/reports/3524779","reference_id":"3524779","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T16:20:26Z/"}],"url":"https://hackerone.com/reports/3524779"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25224","reference_id":"CVE-2026-25224","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25224"},{"reference_url":"https://github.com/fastify/fastify/commit/eb11156396f6a5fedaceed0140aed2b7f026be37","reference_id":"eb11156396f6a5fedaceed0140aed2b7f026be37","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T16:20:26Z/"}],"url":"https://github.com/fastify/fastify/commit/eb11156396f6a5fedaceed0140aed2b7f026be37"},{"reference_url":"https://github.com/advisories/GHSA-mrq3-vjjr-p77c","reference_id":"GHSA-mrq3-vjjr-p77c","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mrq3-vjjr-p77c"},{"reference_url":"https://github.com/fastify/fastify/security/advisories/GHSA-mrq3-vjjr-p77c","reference_id":"GHSA-mrq3-vjjr-p77c","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T16:20:26Z/"}],"url":"https://github.com/fastify/fastify/security/advisories/GHSA-mrq3-vjjr-p77c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38519?format=json","purl":"pkg:npm/fastify@5.7.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-64tj-czqk-gyf1"},{"vulnerability":"VCID-g4ar-bpke-2qc2"},{"vulnerability":"VCID-mjfs-h1jx-2yar"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/fastify@5.7.3"}],"aliases":["CVE-2026-25224","GHSA-mrq3-vjjr-p77c"],"risk_score":1.6,"exploitability":"0.5","weighted_severity":"3.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6ht9-gg8u-9qax"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66115?format=json","vulnerability_id":"VCID-8p2p-977a-qqb6","summary":"Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\\t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type. This issue has been patched in version 5.7.2.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25223.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25223.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25223","reference_id":"","reference_type":"","scores":[{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06277","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25223"},{"reference_url":"https://github.com/fastify/fastify","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/fastify/fastify"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2436560","reference_id":"2436560","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2436560"},{"reference_url":"https://github.com/fastify/fastify/commit/32d7b6add39ddf082d92579a58bea7018c5ac821","reference_id":"32d7b6add39ddf082d92579a58bea7018c5ac821","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:18:10Z/"}],"url":"https://github.com/fastify/fastify/commit/32d7b6add39ddf082d92579a58bea7018c5ac821"},{"reference_url":"https://hackerone.com/reports/3464114","reference_id":"3464114","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:18:10Z/"}],"url":"https://hackerone.com/reports/3464114"},{"reference_url":"https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/content-type-parser.js#L125","reference_id":"content-type-parser.js#L125","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:18:10Z/"}],"url":"https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/content-type-parser.js#L125"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25223","reference_id":"CVE-2026-25223","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25223"},{"reference_url":"https://github.com/advisories/GHSA-jx2c-rxcm-jvmq","reference_id":"GHSA-jx2c-rxcm-jvmq","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jx2c-rxcm-jvmq"},{"reference_url":"https://github.com/fastify/fastify/security/advisories/GHSA-jx2c-rxcm-jvmq","reference_id":"GHSA-jx2c-rxcm-jvmq","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:18:10Z/"}],"url":"https://github.com/fastify/fastify/security/advisories/GHSA-jx2c-rxcm-jvmq"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10184","reference_id":"RHSA-2026:10184","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10184"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:5807","reference_id":"RHSA-2026:5807","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:5807"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6192","reference_id":"RHSA-2026:6192","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6192"},{"reference_url":"https://fastify.dev/docs/latest/Reference/Validation-and-Serialization","reference_id":"Validation-and-Serialization","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:18:10Z/"}],"url":"https://fastify.dev/docs/latest/Reference/Validation-and-Serialization"},{"reference_url":"https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/validation.js#L272","reference_id":"validation.js#L272","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:18:10Z/"}],"url":"https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/validation.js#L272"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38515?format=json","purl":"pkg:npm/fastify@5.7.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-64tj-czqk-gyf1"},{"vulnerability":"VCID-6ht9-gg8u-9qax"},{"vulnerability":"VCID-g4ar-bpke-2qc2"},{"vulnerability":"VCID-mjfs-h1jx-2yar"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/fastify@5.7.2"}],"aliases":["CVE-2026-25223","GHSA-jx2c-rxcm-jvmq"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8p2p-977a-qqb6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/85605?format=json","vulnerability_id":"VCID-g4ar-bpke-2qc2","summary":"Summary\nWhen trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection — including connections from untrusted IPs. This allows an attacker connecting directly to Fastify (bypassing the proxy) to spoof both the protocol and host seen by the application.\n\nAffected Versions\nfastify <= 5.8.2\n\nImpact\nApplications using request.protocol or request.host for security decisions (HTTPS enforcement, secure cookie flags, CSRF origin checks, URL construction, host-based routing) are affected when trustProxy is configured with a restrictive trust function.\n\nWhen trustProxy: true (trust everything), both host and protocol trust all forwarded headers — this is expected behavior. The vulnerability only manifests with restrictive trust configurations.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-3635.json","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-3635.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-3635","reference_id":"","reference_type":"","scores":[{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01849","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-3635"},{"reference_url":"https://github.com/fastify/fastify","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/fastify/fastify"},{"reference_url":"https://github.com/fastify/fastify/releases/tag/v5.8.3","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/fastify/fastify/releases/tag/v5.8.3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-3635","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-3635"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2450330","reference_id":"2450330","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2450330"},{"reference_url":"https://www.cve.org/CVERecord?id=CVE-2026-3635","reference_id":"CVERecord?id=CVE-2026-3635","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-23T15:29:15Z/"}],"url":"https://www.cve.org/CVERecord?id=CVE-2026-3635"},{"reference_url":"https://github.com/advisories/GHSA-444r-cwp2-x5xf","reference_id":"GHSA-444r-cwp2-x5xf","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-444r-cwp2-x5xf"},{"reference_url":"https://github.com/fastify/fastify/security/advisories/GHSA-444r-cwp2-x5xf","reference_id":"GHSA-444r-cwp2-x5xf","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-23T15:29:15Z/"}],"url":"https://github.com/fastify/fastify/security/advisories/GHSA-444r-cwp2-x5xf"},{"reference_url":"https://cna.openjsf.org/security-advisories.html","reference_id":"security-advisories.html","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-23T15:29:15Z/"}],"url":"https://cna.openjsf.org/security-advisories.html"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374885?format=json","purl":"pkg:npm/fastify@5.8.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-64tj-czqk-gyf1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/fastify@5.8.3"}],"aliases":["CVE-2026-3635","GHSA-444r-cwp2-x5xf"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-g4ar-bpke-2qc2"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/114071?format=json","vulnerability_id":"VCID-8s7j-euyn-2uaz","summary":"Fastify is a fast and low overhead web framework, for Node.js. In versions 5.0.0 to 5.3.0 as well as version 4.29.0, applications that specify different validation strategies for different content types have a possibility to bypass validation by providing a _slightly altered_ content type such as with different casing or altered whitespacing before `;`. This was patched in v5.3.1, but the initial patch did not cover all problems. This has been fully patched in v5.3.2 and v4.29.1. A workaround involves not specifying individual content types in the schema.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-32442.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-32442.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-32442","reference_id":"","reference_type":"","scores":[{"value":"0.00069","scoring_system":"epss","scoring_elements":"0.21258","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-32442"},{"reference_url":"https://github.com/fastify/fastify","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/fastify/fastify"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32442","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32442"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2361006","reference_id":"2361006","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2361006"},{"reference_url":"https://hackerone.com/reports/3087928","reference_id":"3087928","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-21T13:28:27Z/"}],"url":"https://hackerone.com/reports/3087928"},{"reference_url":"https://github.com/fastify/fastify/commit/436da4c06dfbbb8c24adee3a64de0c51e4f47418","reference_id":"436da4c06dfbbb8c24adee3a64de0c51e4f47418","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-21T13:28:27Z/"}],"url":"https://github.com/fastify/fastify/commit/436da4c06dfbbb8c24adee3a64de0c51e4f47418"},{"reference_url":"https://github.com/fastify/fastify/commit/f3d2bcb3963cd570a582e5d39aab01a9ae692fe4","reference_id":"f3d2bcb3963cd570a582e5d39aab01a9ae692fe4","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-21T13:28:27Z/"}],"url":"https://github.com/fastify/fastify/commit/f3d2bcb3963cd570a582e5d39aab01a9ae692fe4"},{"reference_url":"https://github.com/advisories/GHSA-mg2h-6x62-wpwc","reference_id":"GHSA-mg2h-6x62-wpwc","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-mg2h-6x62-wpwc"},{"reference_url":"https://github.com/fastify/fastify/security/advisories/GHSA-mg2h-6x62-wpwc","reference_id":"GHSA-mg2h-6x62-wpwc","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-21T13:28:27Z/"}],"url":"https://github.com/fastify/fastify/security/advisories/GHSA-mg2h-6x62-wpwc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/376530?format=json","purl":"pkg:npm/fastify@4.29.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6ht9-gg8u-9qax"},{"vulnerability":"VCID-8p2p-977a-qqb6"},{"vulnerability":"VCID-g4ar-bpke-2qc2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/fastify@4.29.1"},{"url":"http://public2.vulnerablecode.io/api/packages/794812?format=json","purl":"pkg:npm/fastify@5.0.0-alpha.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6ht9-gg8u-9qax"},{"vulnerability":"VCID-8p2p-977a-qqb6"},{"vulnerability":"VCID-g4ar-bpke-2qc2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/fastify@5.0.0-alpha.2"},{"url":"http://public2.vulnerablecode.io/api/packages/376528?format=json","purl":"pkg:npm/fastify@5.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-64tj-czqk-gyf1"},{"vulnerability":"VCID-6ht9-gg8u-9qax"},{"vulnerability":"VCID-8p2p-977a-qqb6"},{"vulnerability":"VCID-g4ar-bpke-2qc2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/fastify@5.3.2"}],"aliases":["CVE-2025-32442","GHSA-mg2h-6x62-wpwc"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8s7j-euyn-2uaz"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/fastify@5.3.2"}