{"url":"http://public2.vulnerablecode.io/api/packages/423490?format=json","purl":"pkg:npm/fastify@0.26.1","type":"npm","namespace":"","name":"fastify","version":"0.26.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"5.8.5","latest_non_vulnerable_version":"5.8.5","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/200779?format=json","vulnerability_id":"VCID-4pu6-91xp-kud3","summary":"Denial of Service vulnerability with large JSON payloads in fastify","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-3711","reference_id":"","reference_type":"","scores":[{"value":"0.00331","scoring_system":"epss","scoring_elements":"0.56415","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00331","scoring_system":"epss","scoring_elements":"0.56538","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00331","scoring_system":"epss","scoring_elements":"0.56548","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00331","scoring_system":"epss","scoring_elements":"0.56534","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-3711"},{"reference_url":"https://github.com/fastify/fastify/commit/fabd2a011f2ffbb877394abe699f549513ffbd76","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3","scoring_elements":""},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/fastify/fastify/commit/fabd2a011f2ffbb877394abe699f549513ffbd76"},{"reference_url":"https://github.com/fastify/fastify/pull/627","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/fastify/fastify/pull/627"},{"reference_url":"https://github.com/fastify/fastify/releases/tag/v0.38.0","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3","scoring_elements":""}],"url":"https://github.com/fastify/fastify/releases/tag/v0.38.0"},{"reference_url":"https://hackerone.com/reports/303632","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3","scoring_elements":""},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/303632"},{"reference_url":"https://www.npmjs.com/advisories/564","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/564"},{"reference_url":"https://github.com/nodejs/security-wg/blob/main/vuln/npm/364.json","reference_id":"364","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3","scoring_elements":""}],"url":"https://github.com/nodejs/security-wg/blob/main/vuln/npm/364.json"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-3711","reference_id":"CVE-2018-3711","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-3711"},{"reference_url":"https://github.com/advisories/GHSA-mq6c-fh97-4gwv","reference_id":"GHSA-mq6c-fh97-4gwv","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mq6c-fh97-4gwv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/13231?format=json","purl":"pkg:npm/fastify@0.38.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6ht9-gg8u-9qax"},{"vulnerability":"VCID-76v3-f591-2qdt"},{"vulnerability":"VCID-8p2p-977a-qqb6"},{"vulnerability":"VCID-f1g6-gvqq-6kbf"},{"vulnerability":"VCID-g4ar-bpke-2qc2"},{"vulnerability":"VCID-t6pc-rnnq-g3gv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/fastify@0.38.0"}],"aliases":["CVE-2018-3711","GHSA-mq6c-fh97-4gwv"],"risk_score":4.2,"exploitability":"0.5","weighted_severity":"8.4","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4pu6-91xp-kud3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66190?format=json","vulnerability_id":"VCID-6ht9-gg8u-9qax","summary":"Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation. This issue has been patched in version 5.7.3.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25224.json","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25224.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25224","reference_id":"","reference_type":"","scores":[{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05689","published_at":"2026-06-14T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.0568","published_at":"2026-06-11T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05698","published_at":"2026-06-13T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05706","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25224"},{"reference_url":"https://github.com/fastify/fastify","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/fastify/fastify"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2436557","reference_id":"2436557","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2436557"},{"reference_url":"https://hackerone.com/reports/3524779","reference_id":"3524779","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T16:20:26Z/"}],"url":"https://hackerone.com/reports/3524779"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25224","reference_id":"CVE-2026-25224","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25224"},{"reference_url":"https://github.com/fastify/fastify/commit/eb11156396f6a5fedaceed0140aed2b7f026be37","reference_id":"eb11156396f6a5fedaceed0140aed2b7f026be37","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T16:20:26Z/"}],"url":"https://github.com/fastify/fastify/commit/eb11156396f6a5fedaceed0140aed2b7f026be37"},{"reference_url":"https://github.com/advisories/GHSA-mrq3-vjjr-p77c","reference_id":"GHSA-mrq3-vjjr-p77c","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mrq3-vjjr-p77c"},{"reference_url":"https://github.com/fastify/fastify/security/advisories/GHSA-mrq3-vjjr-p77c","reference_id":"GHSA-mrq3-vjjr-p77c","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T16:20:26Z/"}],"url":"https://github.com/fastify/fastify/security/advisories/GHSA-mrq3-vjjr-p77c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38519?format=json","purl":"pkg:npm/fastify@5.7.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-64tj-czqk-gyf1"},{"vulnerability":"VCID-g4ar-bpke-2qc2"},{"vulnerability":"VCID-mjfs-h1jx-2yar"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/fastify@5.7.3"}],"aliases":["CVE-2026-25224","GHSA-mrq3-vjjr-p77c"],"risk_score":1.6,"exploitability":"0.5","weighted_severity":"3.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6ht9-gg8u-9qax"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/169359?format=json","vulnerability_id":"VCID-76v3-f591-2qdt","summary":"github-action-merge-dependabot is an action that automatically approves and merges dependabot pull requests (PRs). Prior to version 3.2.0, github-action-merge-dependabot does not check if a commit created by dependabot is verified with the proper GPG key. There is just a check if the actor is set to `dependabot[bot]` to determine if the PR is a legit PR. Theoretically, an owner of a seemingly valid and legit action in the pipeline can check if the PR is created by dependabot and if their own action has enough permissions to modify the PR in the pipeline. If so, they can modify the PR by adding a second seemingly valid and legit commit to the PR, as they can set arbitrarily the username and email in for commits in git. Because the bot only checks if the actor is valid, it would pass the malicious changes through and merge the PR automatically, without getting noticed by project maintainers. It would probably not be possible to determine where the malicious commit came from, as it would only say `dependabot[bot]` and the corresponding email-address. Version 3.2.0 contains a patch for this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-29220","reference_id":"","reference_type":"","scores":[{"value":"0.00082","scoring_system":"epss","scoring_elements":"0.24077","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00082","scoring_system":"epss","scoring_elements":"0.24265","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00082","scoring_system":"epss","scoring_elements":"0.24283","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00082","scoring_system":"epss","scoring_elements":"0.24273","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-29220"},{"reference_url":"https://github.com/fastify/github-action-merge-dependabot/commit/309f39539c5d918d8a47075587aa8720a9c127f7","reference_id":"309f39539c5d918d8a47075587aa8720a9c127f7","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:06:35Z/"}],"url":"https://github.com/fastify/github-action-merge-dependabot/commit/309f39539c5d918d8a47075587aa8720a9c127f7"},{"reference_url":"https://hackerone.com/bugs?report_id=1564530","reference_id":"bugs?report_id=1564530","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:06:35Z/"}],"url":"https://hackerone.com/bugs?report_id=1564530"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-29220","reference_id":"CVE-2022-29220","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-29220"},{"reference_url":"https://github.com/fastify/github-action-merge-dependabot/security/advisories/GHSA-v5vr-h3xq-8v6w","reference_id":"GHSA-v5vr-h3xq-8v6w","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:06:35Z/"}],"url":"https://github.com/fastify/github-action-merge-dependabot/security/advisories/GHSA-v5vr-h3xq-8v6w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/592082?format=json","purl":"pkg:npm/fastify@3.2.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6ht9-gg8u-9qax"},{"vulnerability":"VCID-8p2p-977a-qqb6"},{"vulnerability":"VCID-f1g6-gvqq-6kbf"},{"vulnerability":"VCID-g4ar-bpke-2qc2"},{"vulnerability":"VCID-gmrs-ecv5-6kgm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/fastify@3.2.0"}],"aliases":["CVE-2022-29220","GHSA-v5vr-h3xq-8v6w"],"risk_score":3.0,"exploitability":"0.5","weighted_severity":"5.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-76v3-f591-2qdt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66115?format=json","vulnerability_id":"VCID-8p2p-977a-qqb6","summary":"Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\\t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type. This issue has been patched in version 5.7.2.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25223.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25223.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25223","reference_id":"","reference_type":"","scores":[{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06265","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06277","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06297","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06285","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25223"},{"reference_url":"https://github.com/fastify/fastify","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/fastify/fastify"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2436560","reference_id":"2436560","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2436560"},{"reference_url":"https://github.com/fastify/fastify/commit/32d7b6add39ddf082d92579a58bea7018c5ac821","reference_id":"32d7b6add39ddf082d92579a58bea7018c5ac821","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:18:10Z/"}],"url":"https://github.com/fastify/fastify/commit/32d7b6add39ddf082d92579a58bea7018c5ac821"},{"reference_url":"https://hackerone.com/reports/3464114","reference_id":"3464114","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:18:10Z/"}],"url":"https://hackerone.com/reports/3464114"},{"reference_url":"https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/content-type-parser.js#L125","reference_id":"content-type-parser.js#L125","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:18:10Z/"}],"url":"https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/content-type-parser.js#L125"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25223","reference_id":"CVE-2026-25223","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25223"},{"reference_url":"https://github.com/advisories/GHSA-jx2c-rxcm-jvmq","reference_id":"GHSA-jx2c-rxcm-jvmq","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jx2c-rxcm-jvmq"},{"reference_url":"https://github.com/fastify/fastify/security/advisories/GHSA-jx2c-rxcm-jvmq","reference_id":"GHSA-jx2c-rxcm-jvmq","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:18:10Z/"}],"url":"https://github.com/fastify/fastify/security/advisories/GHSA-jx2c-rxcm-jvmq"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10184","reference_id":"RHSA-2026:10184","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10184"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:5807","reference_id":"RHSA-2026:5807","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:5807"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6192","reference_id":"RHSA-2026:6192","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6192"},{"reference_url":"https://fastify.dev/docs/latest/Reference/Validation-and-Serialization","reference_id":"Validation-and-Serialization","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:18:10Z/"}],"url":"https://fastify.dev/docs/latest/Reference/Validation-and-Serialization"},{"reference_url":"https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/validation.js#L272","reference_id":"validation.js#L272","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:18:10Z/"}],"url":"https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/validation.js#L272"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38515?format=json","purl":"pkg:npm/fastify@5.7.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-64tj-czqk-gyf1"},{"vulnerability":"VCID-6ht9-gg8u-9qax"},{"vulnerability":"VCID-g4ar-bpke-2qc2"},{"vulnerability":"VCID-mjfs-h1jx-2yar"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/fastify@5.7.2"}],"aliases":["CVE-2026-25223","GHSA-jx2c-rxcm-jvmq"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8p2p-977a-qqb6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/168258?format=json","vulnerability_id":"VCID-f1g6-gvqq-6kbf","summary":"fastify is a fast and low overhead web framework, for Node.js. Affected versions of fastify are subject to a denial of service via malicious use of the Content-Type header. An attacker can send an invalid Content-Type header that can cause the application to crash. This issue has been addressed in commit `fbb07e8d` and will be included in release version 4.8.1. Users are advised to upgrade. Users unable to upgrade may manually filter out http content with malicious Content-Type headers.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-39288","reference_id":"","reference_type":"","scores":[{"value":"0.04685","scoring_system":"epss","scoring_elements":"0.8962","published_at":"2026-06-14T12:55:00Z"},{"value":"0.04685","scoring_system":"epss","scoring_elements":"0.8958","published_at":"2026-06-11T12:55:00Z"},{"value":"0.04685","scoring_system":"epss","scoring_elements":"0.89621","published_at":"2026-06-13T12:55:00Z"},{"value":"0.04685","scoring_system":"epss","scoring_elements":"0.89614","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-39288"},{"reference_url":"https://github.com/fastify/fastify","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/fastify/fastify"},{"reference_url":"https://hackerone.com/bugs?report_id=1715536&subject=fastify","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/bugs?report_id=1715536&subject=fastify"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-39288","reference_id":"CVE-2022-39288","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-39288"},{"reference_url":"https://github.com/fastify/fastify/commit/fbb07e8dfad74c69cd4cd2211aedab87194618e3","reference_id":"fbb07e8dfad74c69cd4cd2211aedab87194618e3","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:15Z/"}],"url":"https://github.com/fastify/fastify/commit/fbb07e8dfad74c69cd4cd2211aedab87194618e3"},{"reference_url":"https://github.com/advisories/GHSA-455w-c45v-86rg","reference_id":"GHSA-455w-c45v-86rg","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-455w-c45v-86rg"},{"reference_url":"https://github.com/fastify/fastify/security/advisories/GHSA-455w-c45v-86rg","reference_id":"GHSA-455w-c45v-86rg","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:15Z/"}],"url":"https://github.com/fastify/fastify/security/advisories/GHSA-455w-c45v-86rg"},{"reference_url":"https://github.com/fastify/fastify/security/policy","reference_id":"policy","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:15Z/"}],"url":"https://github.com/fastify/fastify/security/policy"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/27292?format=json","purl":"pkg:npm/fastify@4.8.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6ht9-gg8u-9qax"},{"vulnerability":"VCID-8p2p-977a-qqb6"},{"vulnerability":"VCID-g4ar-bpke-2qc2"},{"vulnerability":"VCID-gmrs-ecv5-6kgm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/fastify@4.8.1"}],"aliases":["CVE-2022-39288","GHSA-455w-c45v-86rg"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-f1g6-gvqq-6kbf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/85605?format=json","vulnerability_id":"VCID-g4ar-bpke-2qc2","summary":"Summary\nWhen trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection — including connections from untrusted IPs. This allows an attacker connecting directly to Fastify (bypassing the proxy) to spoof both the protocol and host seen by the application.\n\nAffected Versions\nfastify <= 5.8.2\n\nImpact\nApplications using request.protocol or request.host for security decisions (HTTPS enforcement, secure cookie flags, CSRF origin checks, URL construction, host-based routing) are affected when trustProxy is configured with a restrictive trust function.\n\nWhen trustProxy: true (trust everything), both host and protocol trust all forwarded headers — this is expected behavior. The vulnerability only manifests with restrictive trust configurations.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-3635.json","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-3635.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-3635","reference_id":"","reference_type":"","scores":[{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01849","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01861","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01852","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01851","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-3635"},{"reference_url":"https://github.com/fastify/fastify","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/fastify/fastify"},{"reference_url":"https://github.com/fastify/fastify/releases/tag/v5.8.3","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/fastify/fastify/releases/tag/v5.8.3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-3635","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-3635"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2450330","reference_id":"2450330","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2450330"},{"reference_url":"https://www.cve.org/CVERecord?id=CVE-2026-3635","reference_id":"CVERecord?id=CVE-2026-3635","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-23T15:29:15Z/"}],"url":"https://www.cve.org/CVERecord?id=CVE-2026-3635"},{"reference_url":"https://github.com/advisories/GHSA-444r-cwp2-x5xf","reference_id":"GHSA-444r-cwp2-x5xf","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-444r-cwp2-x5xf"},{"reference_url":"https://github.com/fastify/fastify/security/advisories/GHSA-444r-cwp2-x5xf","reference_id":"GHSA-444r-cwp2-x5xf","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-23T15:29:15Z/"}],"url":"https://github.com/fastify/fastify/security/advisories/GHSA-444r-cwp2-x5xf"},{"reference_url":"https://cna.openjsf.org/security-advisories.html","reference_id":"security-advisories.html","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-23T15:29:15Z/"}],"url":"https://cna.openjsf.org/security-advisories.html"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374885?format=json","purl":"pkg:npm/fastify@5.8.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-64tj-czqk-gyf1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/fastify@5.8.3"}],"aliases":["CVE-2026-3635","GHSA-444r-cwp2-x5xf"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-g4ar-bpke-2qc2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/205125?format=json","vulnerability_id":"VCID-t6pc-rnnq-g3gv","summary":"Denial of service in fastify","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-8192","reference_id":"","reference_type":"","scores":[{"value":"0.00383","scoring_system":"epss","scoring_elements":"0.60131","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00383","scoring_system":"epss","scoring_elements":"0.60024","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00383","scoring_system":"epss","scoring_elements":"0.60135","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00383","scoring_system":"epss","scoring_elements":"0.60143","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-8192"},{"reference_url":"https://github.com/fastify/fastify/commit/74c3157ca90c3ffed9e4434f63c2017471ec970e","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/fastify/fastify/commit/74c3157ca90c3ffed9e4434f63c2017471ec970e"},{"reference_url":"https://hackerone.com/reports/903521","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/903521"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8192","reference_id":"CVE-2020-8192","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8192"},{"reference_url":"https://github.com/advisories/GHSA-xw5p-hw6r-2j98","reference_id":"GHSA-xw5p-hw6r-2j98","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xw5p-hw6r-2j98"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/16834?format=json","purl":"pkg:npm/fastify@2.15.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6ht9-gg8u-9qax"},{"vulnerability":"VCID-76v3-f591-2qdt"},{"vulnerability":"VCID-8p2p-977a-qqb6"},{"vulnerability":"VCID-f1g6-gvqq-6kbf"},{"vulnerability":"VCID-g4ar-bpke-2qc2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/fastify@2.15.1"},{"url":"http://public2.vulnerablecode.io/api/packages/27964?format=json","purl":"pkg:npm/fastify@3.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6ht9-gg8u-9qax"},{"vulnerability":"VCID-76v3-f591-2qdt"},{"vulnerability":"VCID-8p2p-977a-qqb6"},{"vulnerability":"VCID-f1g6-gvqq-6kbf"},{"vulnerability":"VCID-g4ar-bpke-2qc2"},{"vulnerability":"VCID-gmrs-ecv5-6kgm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/fastify@3.0.0"}],"aliases":["CVE-2020-8192","GHSA-xw5p-hw6r-2j98"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-t6pc-rnnq-g3gv"}],"fixing_vulnerabilities":[],"risk_score":"4.2","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/fastify@0.26.1"}