Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from Vendor (openjs).
CVSS VectorVendor: openjs
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
6Blast Radius
ecosystem impact- 18 npm packages depend on fastify (14 direct, 4 indirect)
Ecosystem-wide dependent count for version 5.3.2.
DescriptionCVE.org
Impact:
Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped.
This is a regression introduced in fastify >= 5.3.2 by the fix for CVE-2025-32442
Patches:
Upgrade to fastify v5.8.5 or later.
Workarounds:
None. Upgrade to the patched version.
AnalysisAI
Remote validation bypass in Fastify 5.3.2+ allows unauthenticated attackers to bypass per-content-type body schema validation by prepending a single space character to the Content-Type HTTP header. Applications using schema.body.content for request validation accept malformed or malicious payloads that should be rejected, enabling data integrity violations. This regression was introduced by the fix for CVE-2025-32442. EPSS data not available; no confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis. Affects Fastify web framework version 5.3.2 through 5.8.4.
Technical ContextAI
Fastify is a high-performance Node.js web framework supporting JSON Schema-based request validation. The vulnerability targets applications using the schema.body.content configuration for content-type-specific body validation, where different schemas can be applied based on Content-Type headers (e.g., application/json vs multipart/form-data). The CWE-1287 classification indicates improper validation of specified type of input, specifically a header parsing inconsistency. The framework's Content-Type matching logic fails when the header value contains leading whitespace, causing a mismatch between the parsing layer (which correctly handles ' application/json') and the validation layer (which expects 'application/json'). This creates a parsing differential where the body is processed according to the content type but validation is entirely skipped, violating the principle of defense in depth in input validation pipelines.
RemediationAI
Upgrade to Fastify version 5.8.5 or later, which contains the complete fix for the header parsing inconsistency. The vendor explicitly states no workarounds are available, making immediate upgrade the only remediation path. Node.js package managers can upgrade via 'npm update fastify@5.8.5' or 'yarn upgrade fastify@5.8.5'. Organizations unable to upgrade immediately should audit all Fastify route handlers using schema.body.content configuration and implement additional server-side validation or input sanitization as compensating controls, though this does not fully mitigate the vulnerability. Reference the OpenJS Foundation security advisory at https://github.com/fastify/fastify/security/advisories/GHSA-mg2h-6x62-wpwc and https://cna.openjsf.org/security-advisories.html for complete vendor guidance and verification of patched deployments.
Fastify is a fast and low overhead web framework, for Node.js. Rated high severity (CVSS 7.5), this vulnerability is rem
Fastify node module before 0.38.0 is vulnerable to a denial-of-service attack by sending a request with "Content-Type: a
A denial of service vulnerability exists in Fastify v2.14.1 and v3.0.0-rc.4 that allows a malicious user to trigger reso
Fastify is a web framework with minimal overhead and plugin architecture. Rated high severity (CVSS 8.8), this vulnerabi
Fastify versions before 5.7.2 allow attackers to bypass request body validation by injecting a tab character into the Co
fastify is a fast and low overhead web framework, for Node.js. Rated high severity (CVSS 7.5), this vulnerability is rem
Fastify improperly validates Content-Type headers by accepting RFC 9110-violating malformed values with trailing charact
Same technique Authentication Bypass
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22818
GHSA-247c-9743-5963