CVE-2026-25223
HIGH
GHSA-jx2c-rxcm-jvmq
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
3Description
Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type. This issue has been patched in version 5.7.2.
Analysis
Fastify versions before 5.7.2 allow attackers to bypass request body validation by injecting a tab character into the Content-Type header, enabling malicious payloads to reach application logic without validation checks. This remote attack requires no authentication and affects Node.js applications using vulnerable Fastify versions. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all applications using Fastify and identify those running versions prior to 5.7.2; assess exposure by determining if affected services process untrusted external input. Within 7 days: Deploy Fastify 5.7.2 or later across development and staging environments; conduct regression testing of request validation logic. …
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today