What is the CVSS score of CVE-2026-25223?

CVE-2026-25223 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Node.js are affected by CVE-2026-25223?

Fastify versions prior to 5.7.2 contain a validation bypass vulnerability that allows attackers to circumvent request body validation controls, potentially enabling injection attacks, data…. A patch is available.

How to fix or mitigate CVE-2026-25223?

Within 24 hours: Inventory all applications using Fastify and identify those running versions prior to 5.7.2; assess exposure by determining if affected services process untrusted external input. Within 7 days: Deploy Fastify 5.7.2 or later across development and staging environments; conduct regression testing of request validation logic. Within 30 days: Complete production deployment of patched versions; validate that all Content-Type validation schemas are functioning as intended post-upgrade.

Node.js CVE-2026-25223

HIGH

Interpretation Conflict (CWE-436)

2026-02-03 security-advisories@github.com

GHSA-jx2c-rxcm-jvmq

Node.js Fastify Red Hat

7.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Red Hat

7.5 HIGH

qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

Patch released

Feb 10, 2026 - 20:05 nvd

Patch available

CVE Published

Feb 03, 2026 - 22:16 nvd

HIGH 7.5

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

28 npm packages depend on fastify (17 direct, 11 indirect)

Ecosystem-wide dependent count for version 5.7.2.

DescriptionGitHub Advisory

Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type. This issue has been patched in version 5.7.2.

AnalysisAI

Fastify versions before 5.7.2 allow attackers to bypass request body validation by injecting a tab character into the Content-Type header, enabling malicious payloads to reach application logic without validation checks. This remote attack requires no authentication and affects Node.js applications using vulnerable Fastify versions. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Craft HTTP request with malicious Content-Type header

Exploit

Append tab character and arbitrary content

Execution

Bypass body validation schema

Impact

Process request with unvalidated payload

Access

Craft HTTP request with malicious Content-Type header

Exploit

Append tab character and arbitrary content

Execution

Bypass body validation schema

Impact

Process request with unvalidated payload

Vulnerability AssessmentAI

Exploitation	Fastify versions prior to 5.7.2 with request body validation schemas enabled. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 7.5 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker could exploit this vulnerability to compromise the affected system.
Remediation	A vendor patch is available — apply it immediately. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all applications using Fastify and identify those running versions prior to 5.7.2; assess exposure by determining if affected services process untrusted external input. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-53633 CRITICAL Act Now

9.8 Jun 15

Remote code execution in Vitest Browser Mode (npm @vitest/browser 3.0.0-3.2.4, 4.0.0-4.1.7, 5.0.0-beta.0-5.0.0-beta.3) a

CVE-2026-48714 CRITICAL Act Now

9.1 Jun 15

Remote prototype pollution in i18next-http-middleware before 3.9.7 allows unauthenticated attackers to write to Object.p

CVE-2026-53609 CRITICAL Act Now

9.1 Jun 12

Prototype pollution in ApostropheCMS versions up to and including 4.30.0 allows an authenticated editor to poison Object

CVE-2026-48054 HIGH This Week

8.8 Jun 11

Code injection in OpenZeppelin Contracts Wizard's `@openzeppelin/wizard` npm package (<=0.10.8) allows attacker-supplied

CVE-2026-53608 HIGH This Week

8.7 Jun 12

Stored cross-site scripting in the @apostrophecms/seo plugin (versions ≤1.4.2) allows any user holding the default edito

Vendor StatusVendor

CVE-2026-25223 vulnerability details – vuln.today

Back

Node.js CVE-2026-25223

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

Blast Radius

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Vendor StatusVendor

Share

External POC / Exploit Code