{"url":"http://public2.vulnerablecode.io/api/packages/592153?format=json","purl":"pkg:npm/fastify@4.0.2","type":"npm","namespace":"","name":"fastify","version":"4.0.2","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"5.8.5","latest_non_vulnerable_version":"5.8.5","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66190?format=json","vulnerability_id":"VCID-6ht9-gg8u-9qax","summary":"Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation. This issue has been patched in version 5.7.3.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25224.json","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25224.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25224","reference_id":"","reference_type":"","scores":[{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05698","published_at":"2026-06-13T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.0568","published_at":"2026-06-11T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05706","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25224"},{"reference_url":"https://github.com/fastify/fastify","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/fastify/fastify"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2436557","reference_id":"2436557","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2436557"},{"reference_url":"https://hackerone.com/reports/3524779","reference_id":"3524779","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T16:20:26Z/"}],"url":"https://hackerone.com/reports/3524779"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25224","reference_id":"CVE-2026-25224","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25224"},{"reference_url":"https://github.com/fastify/fastify/commit/eb11156396f6a5fedaceed0140aed2b7f026be37","reference_id":"eb11156396f6a5fedaceed0140aed2b7f026be37","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T16:20:26Z/"}],"url":"https://github.com/fastify/fastify/commit/eb11156396f6a5fedaceed0140aed2b7f026be37"},{"reference_url":"https://github.com/advisories/GHSA-mrq3-vjjr-p77c","reference_id":"GHSA-mrq3-vjjr-p77c","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mrq3-vjjr-p77c"},{"reference_url":"https://github.com/fastify/fastify/security/advisories/GHSA-mrq3-vjjr-p77c","reference_id":"GHSA-mrq3-vjjr-p77c","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T16:20:26Z/"}],"url":"https://github.com/fastify/fastify/security/advisories/GHSA-mrq3-vjjr-p77c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38519?format=json","purl":"pkg:npm/fastify@5.7.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-64tj-czqk-gyf1"},{"vulnerability":"VCID-g4ar-bpke-2qc2"},{"vulnerability":"VCID-mjfs-h1jx-2yar"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/fastify@5.7.3"}],"aliases":["CVE-2026-25224","GHSA-mrq3-vjjr-p77c"],"risk_score":1.6,"exploitability":"0.5","weighted_severity":"3.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6ht9-gg8u-9qax"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66115?format=json","vulnerability_id":"VCID-8p2p-977a-qqb6","summary":"Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\\t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type. This issue has been patched in version 5.7.2.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25223.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25223.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25223","reference_id":"","reference_type":"","scores":[{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06285","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06277","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06297","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25223"},{"reference_url":"https://github.com/fastify/fastify","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/fastify/fastify"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2436560","reference_id":"2436560","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2436560"},{"reference_url":"https://github.com/fastify/fastify/commit/32d7b6add39ddf082d92579a58bea7018c5ac821","reference_id":"32d7b6add39ddf082d92579a58bea7018c5ac821","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:18:10Z/"}],"url":"https://github.com/fastify/fastify/commit/32d7b6add39ddf082d92579a58bea7018c5ac821"},{"reference_url":"https://hackerone.com/reports/3464114","reference_id":"3464114","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:18:10Z/"}],"url":"https://hackerone.com/reports/3464114"},{"reference_url":"https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/content-type-parser.js#L125","reference_id":"content-type-parser.js#L125","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:18:10Z/"}],"url":"https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/content-type-parser.js#L125"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25223","reference_id":"CVE-2026-25223","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25223"},{"reference_url":"https://github.com/advisories/GHSA-jx2c-rxcm-jvmq","reference_id":"GHSA-jx2c-rxcm-jvmq","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jx2c-rxcm-jvmq"},{"reference_url":"https://github.com/fastify/fastify/security/advisories/GHSA-jx2c-rxcm-jvmq","reference_id":"GHSA-jx2c-rxcm-jvmq","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:18:10Z/"}],"url":"https://github.com/fastify/fastify/security/advisories/GHSA-jx2c-rxcm-jvmq"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10184","reference_id":"RHSA-2026:10184","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10184"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:5807","reference_id":"RHSA-2026:5807","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:5807"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6192","reference_id":"RHSA-2026:6192","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6192"},{"reference_url":"https://fastify.dev/docs/latest/Reference/Validation-and-Serialization","reference_id":"Validation-and-Serialization","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:18:10Z/"}],"url":"https://fastify.dev/docs/latest/Reference/Validation-and-Serialization"},{"reference_url":"https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/validation.js#L272","reference_id":"validation.js#L272","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:18:10Z/"}],"url":"https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/validation.js#L272"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38515?format=json","purl":"pkg:npm/fastify@5.7.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-64tj-czqk-gyf1"},{"vulnerability":"VCID-6ht9-gg8u-9qax"},{"vulnerability":"VCID-g4ar-bpke-2qc2"},{"vulnerability":"VCID-mjfs-h1jx-2yar"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/fastify@5.7.2"}],"aliases":["CVE-2026-25223","GHSA-jx2c-rxcm-jvmq"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8p2p-977a-qqb6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/168258?format=json","vulnerability_id":"VCID-f1g6-gvqq-6kbf","summary":"fastify is a fast and low overhead web framework, for Node.js. Affected versions of fastify are subject to a denial of service via malicious use of the Content-Type header. An attacker can send an invalid Content-Type header that can cause the application to crash. This issue has been addressed in commit `fbb07e8d` and will be included in release version 4.8.1. Users are advised to upgrade. Users unable to upgrade may manually filter out http content with malicious Content-Type headers.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-39288","reference_id":"","reference_type":"","scores":[{"value":"0.04685","scoring_system":"epss","scoring_elements":"0.8958","published_at":"2026-06-11T12:55:00Z"},{"value":"0.04685","scoring_system":"epss","scoring_elements":"0.89621","published_at":"2026-06-13T12:55:00Z"},{"value":"0.04685","scoring_system":"epss","scoring_elements":"0.89614","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-39288"},{"reference_url":"https://github.com/fastify/fastify","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/fastify/fastify"},{"reference_url":"https://hackerone.com/bugs?report_id=1715536&subject=fastify","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/bugs?report_id=1715536&subject=fastify"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-39288","reference_id":"CVE-2022-39288","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-39288"},{"reference_url":"https://github.com/fastify/fastify/commit/fbb07e8dfad74c69cd4cd2211aedab87194618e3","reference_id":"fbb07e8dfad74c69cd4cd2211aedab87194618e3","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:15Z/"}],"url":"https://github.com/fastify/fastify/commit/fbb07e8dfad74c69cd4cd2211aedab87194618e3"},{"reference_url":"https://github.com/advisories/GHSA-455w-c45v-86rg","reference_id":"GHSA-455w-c45v-86rg","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-455w-c45v-86rg"},{"reference_url":"https://github.com/fastify/fastify/security/advisories/GHSA-455w-c45v-86rg","reference_id":"GHSA-455w-c45v-86rg","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:15Z/"}],"url":"https://github.com/fastify/fastify/security/advisories/GHSA-455w-c45v-86rg"},{"reference_url":"https://github.com/fastify/fastify/security/policy","reference_id":"policy","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:15Z/"}],"url":"https://github.com/fastify/fastify/security/policy"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/27292?format=json","purl":"pkg:npm/fastify@4.8.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6ht9-gg8u-9qax"},{"vulnerability":"VCID-8p2p-977a-qqb6"},{"vulnerability":"VCID-g4ar-bpke-2qc2"},{"vulnerability":"VCID-gmrs-ecv5-6kgm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/fastify@4.8.1"}],"aliases":["CVE-2022-39288","GHSA-455w-c45v-86rg"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-f1g6-gvqq-6kbf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/85605?format=json","vulnerability_id":"VCID-g4ar-bpke-2qc2","summary":"Summary\nWhen trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection — including connections from untrusted IPs. This allows an attacker connecting directly to Fastify (bypassing the proxy) to spoof both the protocol and host seen by the application.\n\nAffected Versions\nfastify <= 5.8.2\n\nImpact\nApplications using request.protocol or request.host for security decisions (HTTPS enforcement, secure cookie flags, CSRF origin checks, URL construction, host-based routing) are affected when trustProxy is configured with a restrictive trust function.\n\nWhen trustProxy: true (trust everything), both host and protocol trust all forwarded headers — this is expected behavior. The vulnerability only manifests with restrictive trust configurations.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-3635.json","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-3635.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-3635","reference_id":"","reference_type":"","scores":[{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01849","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01852","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01851","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-3635"},{"reference_url":"https://github.com/fastify/fastify","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/fastify/fastify"},{"reference_url":"https://github.com/fastify/fastify/releases/tag/v5.8.3","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/fastify/fastify/releases/tag/v5.8.3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-3635","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-3635"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2450330","reference_id":"2450330","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2450330"},{"reference_url":"https://www.cve.org/CVERecord?id=CVE-2026-3635","reference_id":"CVERecord?id=CVE-2026-3635","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-23T15:29:15Z/"}],"url":"https://www.cve.org/CVERecord?id=CVE-2026-3635"},{"reference_url":"https://github.com/advisories/GHSA-444r-cwp2-x5xf","reference_id":"GHSA-444r-cwp2-x5xf","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-444r-cwp2-x5xf"},{"reference_url":"https://github.com/fastify/fastify/security/advisories/GHSA-444r-cwp2-x5xf","reference_id":"GHSA-444r-cwp2-x5xf","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-23T15:29:15Z/"}],"url":"https://github.com/fastify/fastify/security/advisories/GHSA-444r-cwp2-x5xf"},{"reference_url":"https://cna.openjsf.org/security-advisories.html","reference_id":"security-advisories.html","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-23T15:29:15Z/"}],"url":"https://cna.openjsf.org/security-advisories.html"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374885?format=json","purl":"pkg:npm/fastify@5.8.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-64tj-czqk-gyf1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/fastify@5.8.3"}],"aliases":["CVE-2026-3635","GHSA-444r-cwp2-x5xf"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-g4ar-bpke-2qc2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/172655?format=json","vulnerability_id":"VCID-gmrs-ecv5-6kgm","summary":"Fastify is a web framework with minimal overhead and plugin architecture. The attacker can use the incorrect `Content-Type` to bypass the `Pre-Flight` checking of `fetch`. `fetch()` requests with Content-Type’s essence as \"application/x-www-form-urlencoded\", \"multipart/form-data\", or \"text/plain\", could potentially be used to invoke routes that only accepts `application/json` content type, thus bypassing any CORS protection, and therefore they could lead to a Cross-Site Request Forgery attack. This issue has been patched in version 4.10.2 and 3.29.4. As a workaround, implement Cross-Site Request Forgery protection using `@fastify/csrf'.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-41919.json","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-41919.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-41919","reference_id":"","reference_type":"","scores":[{"value":"0.00117","scoring_system":"epss","scoring_elements":"0.3022","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00117","scoring_system":"epss","scoring_elements":"0.30204","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00117","scoring_system":"epss","scoring_elements":"0.30007","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-41919"},{"reference_url":"https://github.com/fastify/fastify","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/fastify/fastify"},{"reference_url":"https://www.npmjs.com/package/@fastify/csrf","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/package/@fastify/csrf"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2159502","reference_id":"2159502","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2159502"},{"reference_url":"https://github.com/fastify/fastify/commit/62dde76f1f7aca76e38625fe8d983761f26e6fc9","reference_id":"62dde76f1f7aca76e38625fe8d983761f26e6fc9","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:54:07Z/"}],"url":"https://github.com/fastify/fastify/commit/62dde76f1f7aca76e38625fe8d983761f26e6fc9"},{"reference_url":"https://www.npmjs.com/package/%40fastify/csrf","reference_id":"csrf","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:54:07Z/"}],"url":"https://www.npmjs.com/package/%40fastify/csrf"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-41919","reference_id":"CVE-2022-41919","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-41919"},{"reference_url":"https://github.com/advisories/GHSA-3fjj-p79j-c9hh","reference_id":"GHSA-3fjj-p79j-c9hh","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3fjj-p79j-c9hh"},{"reference_url":"https://github.com/fastify/fastify/security/advisories/GHSA-3fjj-p79j-c9hh","reference_id":"GHSA-3fjj-p79j-c9hh","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:54:07Z/"}],"url":"https://github.com/fastify/fastify/security/advisories/GHSA-3fjj-p79j-c9hh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/27963?format=json","purl":"pkg:npm/fastify@4.10.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6ht9-gg8u-9qax"},{"vulnerability":"VCID-8p2p-977a-qqb6"},{"vulnerability":"VCID-g4ar-bpke-2qc2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/fastify@4.10.2"}],"aliases":["CVE-2022-41919","GHSA-3fjj-p79j-c9hh","GMS-2022-6953"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"7.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gmrs-ecv5-6kgm"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/fastify@4.0.2"}