Home

Description

Impact: Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped. This is a regression introduced in fastify >= 5.3.2 by the fix for CVE-2025-32442 Patches: Upgrade to fastify v5.8.5 or later. Workarounds: None. Upgrade to the patched version.

PUBLISHED Reserved 2026-03-23 | Published 2026-04-15 | Updated 2026-04-15 | Assigner openjs




HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Problem types

CWE-1287: Improper Validation of Specified Type of Input

Product status

Default status
unaffected

5.3.2 (semver) before 5.8.5
affected

5.8.5 (semver)
unaffected

Credits

mcollina remediation developer

climba03003 remediation reviewer

jsumners remediation reviewer

UlisesGascon remediation reviewer

Vyntral reporter

References

github.com/...astify/security/advisories/GHSA-mg2h-6x62-wpwc

cna.openjsf.org/security-advisories.html

cve.org (CVE-2026-33806)

nvd.nist.gov (CVE-2026-33806)

Download JSON