HIGH🇬🇧 English

CVE-2026-25223

CVSS 7.5v3.1pub. 2026-02-03upd. 2026-06-30

Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type. This issue has been patched in version 5.7.2.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
  • Fastify

    APP
    Fastify
    < 5.7.2
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
CWE
Referencje

Powiązane podatności

CVE-2026-33806HIGH7.5ten sam produkt

Impact: Fastify applications using schema.body.content for per-content-type body validation can have validati...

CVE-2025-32442HIGH7.5ten sam produkt

Fastify is a fast and low overhead web framework, for Node.js. In versions 5.0.0 to 5.3.0 as well as version 4...

CVE-2022-39288HIGH7.5ten sam produkt

fastify is a fast and low overhead web framework, for Node.js. Affected versions of fastify are subject to a d...

CVE-2018-3711HIGH7.5ten sam produkt

Fastify node module before 0.38.0 is vulnerable to a denial-of-service attack by sending a request with "Conte...

CVE-2026-3635MEDIUM6.1ten sam produkt

Summary When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: ...