Fastify
Monthly
Fastify improperly validates Content-Type headers by accepting RFC 9110-violating malformed values with trailing characters, allowing attackers to bypass content-type restrictions and route requests to unintended parsers. When regex-based content-type parsing is enabled, requests with invalid Content-Type headers such as "application/json garbage" are processed normally instead of being rejected, potentially enabling request misrouting and manipulation of parser behavior. No patch is currently available for this medium-severity vulnerability affecting Fastify applications.
Fastify versions before 5.7.2 allow attackers to bypass request body validation by injecting a tab character into the Content-Type header, enabling malicious payloads to reach application logic without validation checks. This remote attack requires no authentication and affects Node.js applications using vulnerable Fastify versions. A patch is available in version 5.7.2 and later.
Fastify is a fast and low overhead web framework, for Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Fastify improperly validates Content-Type headers by accepting RFC 9110-violating malformed values with trailing characters, allowing attackers to bypass content-type restrictions and route requests to unintended parsers. When regex-based content-type parsing is enabled, requests with invalid Content-Type headers such as "application/json garbage" are processed normally instead of being rejected, potentially enabling request misrouting and manipulation of parser behavior. No patch is currently available for this medium-severity vulnerability affecting Fastify applications.
Fastify versions before 5.7.2 allow attackers to bypass request body validation by injecting a tab character into the Content-Type header, enabling malicious payloads to reach application logic without validation checks. This remote attack requires no authentication and affects Node.js applications using vulnerable Fastify versions. A patch is available in version 5.7.2 and later.
Fastify is a fast and low overhead web framework, for Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.