VulnerableCode Package Details - pkg:npm/fastify@5.7.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-64tj-czqk-gyf1 Aliases: CVE-2026-33806 GHSA-247c-9743-5963	Impact: Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped. This is a regression introduced in fastify >= 5.3.2 by the fix for CVE-2025-32442 Patches: Upgrade to fastify v5.8.5 or later. Workarounds: None. Upgrade to the patched version.	5.8.5 Affected by 0 other vulnerabilities.
VCID-6ht9-gg8u-9qax Aliases: CVE-2026-25224 GHSA-mrq3-vjjr-p77c	Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation. This issue has been patched in version 5.7.3.	5.7.3 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-g4ar-bpke-2qc2 Aliases: CVE-2026-3635 GHSA-444r-cwp2-x5xf	Summary When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection — including connections from untrusted IPs. This allows an attacker connecting directly to Fastify (bypassing the proxy) to spoof both the protocol and host seen by the application. Affected Versions fastify <= 5.8.2 Impact Applications using request.protocol or request.host for security decisions (HTTPS enforcement, secure cookie flags, CSRF origin checks, URL construction, host-based routing) are affected when trustProxy is configured with a restrictive trust function. When trustProxy: true (trust everything), both host and protocol trust all forwarded headers — this is expected behavior. The vulnerability only manifests with restrictive trust configurations.	5.8.3 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-mjfs-h1jx-2yar Aliases: CVE-2026-3419 GHSA-573f-x89g-hqp9	Fastify incorrectly accepts malformed `Content-Type` headers containing trailing characters after the subtype token, in violation of RFC 9110 §8.3.1(https://httpwg.org/specs/rfc9110.html#field.content-type). For example, a request sent with Content-Type: application/json garbage passes validation and is processed normally, rather than being rejected with 415 Unsupported Media Type. When regex-based content-type parsers are in use (a documented Fastify feature), the malformed value is matched against registered parsers using the full string including the trailing garbage. This means a request with an invalid content-type may be routed to and processed by a parser it should never have reached. Impact: An attacker can send requests with RFC-invalid Content-Type headers that bypass validity checks, reach content-type parser matching, and be processed by the server. Requests that should be rejected at the validation stage are instead handled as if the content-type were valid. Workarounds: Deploy a WAF rule to protect against this Fix: The fix is available starting with v5.8.1.	5.8.1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-64tj-czqk-gyf1
Aliases:
CVE-2026-33806
GHSA-247c-9743-5963

Impact: Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped. This is a regression introduced in fastify >= 5.3.2 by the fix for CVE-2025-32442 Patches: Upgrade to fastify v5.8.5 or later. Workarounds: None. Upgrade to the patched version.

5.8.5
Affected by 0 other vulnerabilities.

VCID-6ht9-gg8u-9qax
Aliases:
CVE-2026-25224
GHSA-mrq3-vjjr-p77c

Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation. This issue has been patched in version 5.7.3.

5.7.3
Affected by 3 other vulnerabilities.

VCID-g4ar-bpke-2qc2
Aliases:
CVE-2026-3635
GHSA-444r-cwp2-x5xf

Summary When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection — including connections from untrusted IPs. This allows an attacker connecting directly to Fastify (bypassing the proxy) to spoof both the protocol and host seen by the application. Affected Versions fastify <= 5.8.2 Impact Applications using request.protocol or request.host for security decisions (HTTPS enforcement, secure cookie flags, CSRF origin checks, URL construction, host-based routing) are affected when trustProxy is configured with a restrictive trust function. When trustProxy: true (trust everything), both host and protocol trust all forwarded headers — this is expected behavior. The vulnerability only manifests with restrictive trust configurations.

5.8.3
Affected by 1 other vulnerability.

VCID-mjfs-h1jx-2yar
Aliases:
CVE-2026-3419
GHSA-573f-x89g-hqp9

Fastify incorrectly accepts malformed `Content-Type` headers containing trailing characters after the subtype token, in violation of RFC 9110 §8.3.1(https://httpwg.org/specs/rfc9110.html#field.content-type). For example, a request sent with Content-Type: application/json garbage passes validation and is processed normally, rather than being rejected with 415 Unsupported Media Type. When regex-based content-type parsers are in use (a documented Fastify feature), the malformed value is matched against registered parsers using the full string including the trailing garbage. This means a request with an invalid content-type may be routed to and processed by a parser it should never have reached. Impact: An attacker can send requests with RFC-invalid Content-Type headers that bypass validity checks, reach content-type parser matching, and be processed by the server. Requests that should be rejected at the validation stage are instead handled as if the content-type were valid. Workarounds: Deploy a WAF rule to protect against this Fix: The fix is available starting with v5.8.1.

5.8.1
Affected by 2 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-8p2p-977a-qqb6	Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type. This issue has been patched in version 5.7.2.	CVE-2026-25223 GHSA-jx2c-rxcm-jvmq

Vulnerability

Summary

Aliases

VCID-8p2p-977a-qqb6

Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type. This issue has been patched in version 5.7.2.

CVE-2026-25223
GHSA-jx2c-rxcm-jvmq

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T22:05:37.736862+00:00	GitLab Importer	Affected by	VCID-64tj-czqk-gyf1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/fastify/CVE-2026-33806.yml	38.6.0
2026-06-12T21:37:19.726821+00:00	GitLab Importer	Affected by	VCID-g4ar-bpke-2qc2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/fastify/CVE-2026-3635.yml	38.6.0
2026-06-12T20:54:39.480025+00:00	GitLab Importer	Affected by	VCID-6ht9-gg8u-9qax	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/fastify/CVE-2026-25224.yml	38.6.0
2026-06-12T15:51:07.879181+00:00	GitLab Importer	Affected by	VCID-mjfs-h1jx-2yar	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/fastify/CVE-2026-3419.yml	38.6.0
2026-06-12T15:50:16.185767+00:00	GitLab Importer	Fixing	VCID-8p2p-977a-qqb6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/fastify/CVE-2026-25223.yml	38.6.0
2026-06-12T07:48:03.559444+00:00	GithubOSV Importer	Fixing	VCID-8p2p-977a-qqb6	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-jx2c-rxcm-jvmq/GHSA-jx2c-rxcm-jvmq.json	38.6.0
2026-06-11T20:38:30.701060+00:00	GHSA Importer	Affected by	VCID-mjfs-h1jx-2yar	https://github.com/advisories/GHSA-573f-x89g-hqp9	38.6.0
2026-06-11T20:37:45.362882+00:00	GHSA Importer	Affected by	VCID-6ht9-gg8u-9qax	https://github.com/advisories/GHSA-mrq3-vjjr-p77c	38.6.0
2026-06-11T20:37:45.333489+00:00	GHSA Importer	Fixing	VCID-8p2p-977a-qqb6	https://github.com/advisories/GHSA-jx2c-rxcm-jvmq	38.6.0