Skip to main content

Fastify EUVDEUVD-2026-22818

| CVE-2026-33806 HIGH
Improper Validation of Specified Type of Input (CWE-1287)
2026-04-15 openjs GHSA-247c-9743-5963
7.5
CVSS 3.1 · Vendor: openjs
Share

Severity by source

Vendor (openjs) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (openjs).

CVSS VectorVendor: openjs

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

6
Re-analysis Queued
Apr 17, 2026 - 15:22 vuln.today
cvss_changed
Patch released
Apr 15, 2026 - 20:30 nvd
Patch available
Analysis Generated
Apr 15, 2026 - 01:17 vuln.today
EUVD ID Assigned
Apr 15, 2026 - 01:15 euvd
EUVD-2026-22818
Analysis Generated
Apr 15, 2026 - 01:15 vuln.today
CVE Published
Apr 15, 2026 - 00:14 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 18 npm packages depend on fastify (14 direct, 4 indirect)

Ecosystem-wide dependent count for version 5.3.2.

DescriptionCVE.org

Impact:

Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped.

This is a regression introduced in fastify >= 5.3.2 by the fix for CVE-2025-32442

Patches:

Upgrade to fastify v5.8.5 or later.

Workarounds:

None. Upgrade to the patched version.

AnalysisAI

Remote validation bypass in Fastify 5.3.2+ allows unauthenticated attackers to bypass per-content-type body schema validation by prepending a single space character to the Content-Type HTTP header. Applications using schema.body.content for request validation accept malformed or malicious payloads that should be rejected, enabling data integrity violations. This regression was introduced by the fix for CVE-2025-32442. EPSS data not available; no confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis. Affects Fastify web framework version 5.3.2 through 5.8.4.

Technical ContextAI

Fastify is a high-performance Node.js web framework supporting JSON Schema-based request validation. The vulnerability targets applications using the schema.body.content configuration for content-type-specific body validation, where different schemas can be applied based on Content-Type headers (e.g., application/json vs multipart/form-data). The CWE-1287 classification indicates improper validation of specified type of input, specifically a header parsing inconsistency. The framework's Content-Type matching logic fails when the header value contains leading whitespace, causing a mismatch between the parsing layer (which correctly handles ' application/json') and the validation layer (which expects 'application/json'). This creates a parsing differential where the body is processed according to the content type but validation is entirely skipped, violating the principle of defense in depth in input validation pipelines.

RemediationAI

Upgrade to Fastify version 5.8.5 or later, which contains the complete fix for the header parsing inconsistency. The vendor explicitly states no workarounds are available, making immediate upgrade the only remediation path. Node.js package managers can upgrade via 'npm update fastify@5.8.5' or 'yarn upgrade fastify@5.8.5'. Organizations unable to upgrade immediately should audit all Fastify route handlers using schema.body.content configuration and implement additional server-side validation or input sanitization as compensating controls, though this does not fully mitigate the vulnerability. Reference the OpenJS Foundation security advisory at https://github.com/fastify/fastify/security/advisories/GHSA-mg2h-6x62-wpwc and https://cna.openjsf.org/security-advisories.html for complete vendor guidance and verification of patched deployments.

Vendor StatusVendor

Share

EUVD-2026-22818 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy