CVE-2026-3419
📋 TL;DR
Fastify incorrectly accepts malformed Content-Type headers with trailing characters, violating RFC 9110. This allows attackers to bypass content-type validation and route requests to parsers they shouldn't reach. All Fastify applications using regex-based content-type parsers are affected.
💻 Affected Systems
- Fastify
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could bypass content-type validation entirely, potentially leading to injection attacks, data corruption, or unexpected request processing if parsers have security flaws.
Likely Case
Bypass of content-type validation allowing requests with invalid content-types to be processed, potentially causing application errors or unexpected behavior.
If Mitigated
With proper input validation and WAF protection, impact is limited to potential application errors rather than security breaches.
🎯 Exploit Status
Exploitation requires sending malformed Content-Type headers, which is trivial to implement.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v5.8.1
Vendor Advisory: https://github.com/fastify/fastify/security/advisories/GHSA-573f-x89g-hqp9
Restart Required: Yes
Instructions:
1. Update Fastify to v5.8.1 or later using npm update fastify or yarn upgrade fastify. 2. Restart your application server. 3. Test that malformed Content-Type headers are now properly rejected.
🔧 Temporary Workarounds
WAF Rule Implementation
allDeploy a WAF rule to reject requests with malformed Content-Type headers containing trailing characters after valid MIME types.
🧯 If You Can't Patch
- Implement custom middleware to validate and sanitize Content-Type headers before Fastify processes them.
- Disable regex-based content-type parsers if not required for your application functionality.
🔍 How to Verify
Check if Vulnerable:
Check if your Fastify version is below 5.8.1 and if you're using regex-based content-type parsers.Check Version:
npm list fastify or check package.json for fastify versionVerify Fix Applied:
Send a test request with Content-Type: application/json garbage and verify it returns 415 Unsupported Media Type.📡 Detection & Monitoring
Log Indicators:
- Requests with unusual Content-Type headers containing trailing characters
- 415 errors for previously accepted content types
Network Indicators:
- HTTP requests with malformed Content-Type headers containing text after valid MIME types
SIEM Query:
http.content_type: "* *" OR http.content_type: "*[^a-zA-Z0-9/-]*"🔗 References
- https://cna.openjsf.org/security-advisories.html
- https://github.com/advisories/GHSA-573f-x89g-hqp9
- https://github.com/fastify/fastify/commit/67f6c9b32cb3623d3c9470cc17ed830dd2f083d7
- https://github.com/fastify/fastify/security/advisories/GHSA-573f-x89g-hqp9
- https://httpwg.org/specs/rfc9110.html#field.content-type
- https://www.cve.org/CVERecord?id=CVE-2026-3419
