CVE-2026-25223
📋 TL;DR
Fastify versions before 5.7.2 have a validation bypass vulnerability where attackers can circumvent request body validation by appending a tab character followed by arbitrary content to the Content-Type header. This allows malicious payloads to bypass validation while the server still processes them as the original content type. All Fastify applications using request body validation are affected.
💻 Affected Systems
- Fastify
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could inject malicious data that bypasses validation, potentially leading to injection attacks, data corruption, or unauthorized actions depending on the application logic.
Likely Case
Attackers bypass input validation to submit malformed or malicious data that should have been rejected, potentially causing application errors or data integrity issues.
If Mitigated
With proper input sanitization at the application layer and additional validation checks, the impact would be limited to potential validation bypass without direct exploitation.
🎯 Exploit Status
The vulnerability is simple to exploit by modifying HTTP headers, and proof-of-concept code is available in the advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.7.2
Vendor Advisory: https://github.com/fastify/fastify/security/advisories/GHSA-jx2c-rxcm-jvmq
Restart Required: Yes
Instructions:
1. Update Fastify to version 5.7.2 or later using npm: npm update fastify
2. Restart your Node.js application
3. Verify the update was successful
🔧 Temporary Workarounds
Content-Type Header Validation
allImplement middleware to validate and sanitize Content-Type headers before they reach Fastify's parser
Input Validation Enhancement
allAdd additional validation layers in application code beyond Fastify's built-in validation
🧯 If You Can't Patch
- Implement WAF rules to block HTTP requests with tab characters in Content-Type headers
- Deploy additional validation middleware that strips or rejects malformed Content-Type headers
🔍 How to Verify
Check if Vulnerable:
Check your package.json or run: npm list fastify | grep fastifyCheck Version:
npm list fastify | grep fastifyVerify Fix Applied:
Verify Fastify version is 5.7.2 or higher: npm list fastify📡 Detection & Monitoring
Log Indicators:
- HTTP requests with Content-Type headers containing tab characters (\t)
- Validation errors that should have been triggered but weren't
Network Indicators:
- HTTP requests with malformed Content-Type headers containing tab characters
SIEM Query:
http.content_type:*\t* OR http.headers.content_type:*\t*🔗 References
- https://fastify.dev/docs/latest/Reference/Validation-and-Serialization
- https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/content-type-parser.js#L125
- https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/validation.js#L272
- https://github.com/fastify/fastify/commit/32d7b6add39ddf082d92579a58bea7018c5ac821
- https://github.com/fastify/fastify/security/advisories/GHSA-jx2c-rxcm-jvmq
- https://hackerone.com/reports/3464114
