EUVD-2026-22818
GHSA-247c-9743-5963
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
1Blast Radius
ecosystem impact- 18 npm packages depend on fastify (14 direct, 4 indirect)
Ecosystem-wide dependent count for version 5.3.2.
DescriptionNVD
Impact:
Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped.
This is a regression introduced in fastify >= 5.3.2 by the fix for CVE-2025-32442
Patches:
Upgrade to fastify v5.8.5 or later.
Workarounds:
None. Upgrade to the patched version.
AnalysisAI
Remote validation bypass in Fastify 5.3.2+ allows unauthenticated attackers to bypass per-content-type body schema validation by prepending a single space character to the Content-Type HTTP header. Applications using schema.body.content for request validation accept malformed or malicious payloads that should be rejected, enabling data integrity violations. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Identify all applications running Fastify 5.3.2-5.8.4 using dependency scanning tools; document affected systems and data sensitivity. Within 7 days: Apply Content-Type header validation at reverse proxy/load balancer level to strip or reject headers with leading whitespace; implement request logging to detect attempted exploits. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today