Home

Description

Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type. This issue has been patched in version 5.7.2.

PUBLISHED Reserved 2026-01-30 | Published 2026-02-03 | Updated 2026-02-04 | Assigner GitHub_M




HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Problem types

CWE-436: Interpretation Conflict

Product status

< 5.7.2
affected

References

github.com/...astify/security/advisories/GHSA-jx2c-rxcm-jvmq

github.com/...ommit/32d7b6add39ddf082d92579a58bea7018c5ac821

hackerone.com/reports/3464114

fastify.dev/...latest/Reference/Validation-and-Serialization

github.com/...8e42a17bffba7521348/lib/content-type-parser.js

github.com/...9abf953068e42a17bffba7521348/lib/validation.js

cve.org (CVE-2026-25223)

nvd.nist.gov (CVE-2026-25223)

Download JSON