{"url":"http://public2.vulnerablecode.io/api/packages/959056?format=json","purl":"pkg:npm/fastify@5.7.4","type":"npm","namespace":"","name":"fastify","version":"5.7.4","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"5.8.5","latest_non_vulnerable_version":"5.8.5","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78314?format=json","vulnerability_id":"VCID-64tj-czqk-gyf1","summary":"Impact:\n\nFastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped.\n\nThis is a regression introduced in fastify >= 5.3.2 by the fix for CVE-2025-32442\n\nPatches:\n\nUpgrade to fastify v5.8.5 or later.\n\nWorkarounds:\n\nNone. Upgrade to the patched version.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33806.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33806.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33806","reference_id":"","reference_type":"","scores":[{"value":"0.00107","scoring_system":"epss","scoring_elements":"0.28366","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33806"},{"reference_url":"https://github.com/fastify/fastify","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/fastify/fastify"},{"reference_url":"https://github.com/fastify/fastify/releases/tag/v5.8.5","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/fastify/fastify/releases/tag/v5.8.5"},{"reference_url":"https://github.com/fastify/fastify/security/advisories/GHSA-247c-9743-5963","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/fastify/fastify/security/advisories/GHSA-247c-9743-5963"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32442","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32442"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33806","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33806"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2458596","reference_id":"2458596","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2458596"},{"reference_url":"https://github.com/advisories/GHSA-247c-9743-5963","reference_id":"GHSA-247c-9743-5963","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-247c-9743-5963"},{"reference_url":"https://github.com/fastify/fastify/security/advisories/GHSA-mg2h-6x62-wpwc","reference_id":"GHSA-mg2h-6x62-wpwc","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-15T14:02:12Z/"}],"url":"https://github.com/fastify/fastify/security/advisories/GHSA-mg2h-6x62-wpwc"},{"reference_url":"https://cna.openjsf.org/security-advisories.html","reference_id":"security-advisories.html","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-15T14:02:12Z/"}],"url":"https://cna.openjsf.org/security-advisories.html"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373417?format=json","purl":"pkg:npm/fastify@5.8.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/fastify@5.8.5"}],"aliases":["CVE-2026-33806","GHSA-247c-9743-5963"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-64tj-czqk-gyf1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/85605?format=json","vulnerability_id":"VCID-g4ar-bpke-2qc2","summary":"Summary\nWhen trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection — including connections from untrusted IPs. This allows an attacker connecting directly to Fastify (bypassing the proxy) to spoof both the protocol and host seen by the application.\n\nAffected Versions\nfastify <= 5.8.2\n\nImpact\nApplications using request.protocol or request.host for security decisions (HTTPS enforcement, secure cookie flags, CSRF origin checks, URL construction, host-based routing) are affected when trustProxy is configured with a restrictive trust function.\n\nWhen trustProxy: true (trust everything), both host and protocol trust all forwarded headers — this is expected behavior. The vulnerability only manifests with restrictive trust configurations.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-3635.json","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-3635.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-3635","reference_id":"","reference_type":"","scores":[{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01849","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-3635"},{"reference_url":"https://github.com/fastify/fastify","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/fastify/fastify"},{"reference_url":"https://github.com/fastify/fastify/releases/tag/v5.8.3","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/fastify/fastify/releases/tag/v5.8.3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-3635","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-3635"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2450330","reference_id":"2450330","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2450330"},{"reference_url":"https://www.cve.org/CVERecord?id=CVE-2026-3635","reference_id":"CVERecord?id=CVE-2026-3635","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-23T15:29:15Z/"}],"url":"https://www.cve.org/CVERecord?id=CVE-2026-3635"},{"reference_url":"https://github.com/advisories/GHSA-444r-cwp2-x5xf","reference_id":"GHSA-444r-cwp2-x5xf","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-444r-cwp2-x5xf"},{"reference_url":"https://github.com/fastify/fastify/security/advisories/GHSA-444r-cwp2-x5xf","reference_id":"GHSA-444r-cwp2-x5xf","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-23T15:29:15Z/"}],"url":"https://github.com/fastify/fastify/security/advisories/GHSA-444r-cwp2-x5xf"},{"reference_url":"https://cna.openjsf.org/security-advisories.html","reference_id":"security-advisories.html","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-23T15:29:15Z/"}],"url":"https://cna.openjsf.org/security-advisories.html"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374885?format=json","purl":"pkg:npm/fastify@5.8.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-64tj-czqk-gyf1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/fastify@5.8.3"}],"aliases":["CVE-2026-3635","GHSA-444r-cwp2-x5xf"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-g4ar-bpke-2qc2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/85904?format=json","vulnerability_id":"VCID-mjfs-h1jx-2yar","summary":"Fastify incorrectly accepts malformed `Content-Type` headers containing trailing characters after the subtype token, in violation of RFC 9110 §8.3.1(https://httpwg.org/specs/rfc9110.html#field.content-type). For example, a request sent with Content-Type: application/json garbage passes validation and is processed normally, rather than being rejected with 415 Unsupported Media Type.\n\nWhen regex-based content-type parsers are in use (a documented Fastify feature), the malformed value is matched against registered parsers using the full string including the trailing garbage. This means a request with an invalid content-type may be routed to and processed by a parser it should never have reached.\n\nImpact:\nAn attacker can send requests with RFC-invalid Content-Type headers that bypass validity checks, reach content-type parser matching, and be processed by the server. Requests that should be rejected at the validation stage are instead handled as if the content-type were valid.\n\nWorkarounds:\nDeploy a WAF rule to protect against this\n\nFix:\n\nThe fix is available starting with v5.8.1.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-3419.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-3419.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-3419","reference_id":"","reference_type":"","scores":[{"value":"0.00017","scoring_system":"epss","scoring_elements":"0.04195","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-3419"},{"reference_url":"https://github.com/fastify/fastify","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/fastify/fastify"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2445295","reference_id":"2445295","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2445295"},{"reference_url":"https://github.com/fastify/fastify/commit/67f6c9b32cb3623d3c9470cc17ed830dd2f083d7","reference_id":"67f6c9b32cb3623d3c9470cc17ed830dd2f083d7","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-09T14:55:13Z/"}],"url":"https://github.com/fastify/fastify/commit/67f6c9b32cb3623d3c9470cc17ed830dd2f083d7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-3419","reference_id":"CVE-2026-3419","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-3419"},{"reference_url":"https://www.cve.org/CVERecord?id=CVE-2026-3419","reference_id":"CVERecord?id=CVE-2026-3419","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-09T14:55:13Z/"}],"url":"https://www.cve.org/CVERecord?id=CVE-2026-3419"},{"reference_url":"https://github.com/advisories/GHSA-573f-x89g-hqp9","reference_id":"GHSA-573f-x89g-hqp9","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-09T14:55:13Z/"}],"url":"https://github.com/advisories/GHSA-573f-x89g-hqp9"},{"reference_url":"https://github.com/fastify/fastify/security/advisories/GHSA-573f-x89g-hqp9","reference_id":"GHSA-573f-x89g-hqp9","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-09T14:55:13Z/"}],"url":"https://github.com/fastify/fastify/security/advisories/GHSA-573f-x89g-hqp9"},{"reference_url":"https://httpwg.org/specs/rfc9110.html#field.content-type","reference_id":"rfc9110.html#field.content-type","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-09T14:55:13Z/"}],"url":"https://httpwg.org/specs/rfc9110.html#field.content-type"},{"reference_url":"https://cna.openjsf.org/security-advisories.html","reference_id":"security-advisories.html","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-09T14:55:13Z/"}],"url":"https://cna.openjsf.org/security-advisories.html"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40282?format=json","purl":"pkg:npm/fastify@5.8.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-64tj-czqk-gyf1"},{"vulnerability":"VCID-g4ar-bpke-2qc2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/fastify@5.8.1"}],"aliases":["CVE-2026-3419","GHSA-573f-x89g-hqp9"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mjfs-h1jx-2yar"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/fastify@5.7.4"}