Vulnerability Description
Fastify is a fast and low overhead web framework, for Node.js. In versions 5.0.0 to 5.3.0 as well as version 4.29.0, applications that specify different validation strategies for different content types have a possibility to bypass validation by providing a _slightly altered_ content type such as with different casing or altered whitespacing before `;`. This was patched in v5.3.1, but the initial patch did not cover all problems. This has been fully patched in v5.3.2 and v4.29.1. A workaround involves not specifying individual content types in the schema.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Fastify | Fastify | >= 5.0.0, < 5.3.2 |
Related Weaknesses (CWE)
References
- https://github.com/fastify/fastify/commit/436da4c06dfbbb8c24adee3a64de0c51e4f474Patch
- https://github.com/fastify/fastify/commit/f3d2bcb3963cd570a582e5d39aab01a9ae692fPatch
- https://github.com/fastify/fastify/security/advisories/GHSA-mg2h-6x62-wpwcExploitThird Party Advisory
- https://hackerone.com/reports/3087928Permissions Required
FAQ
What is CVE-2025-32442?
CVE-2025-32442 is a vulnerability with a CVSS score of 7.5 (HIGH). Fastify is a fast and low overhead web framework, for Node.js. In versions 5.0.0 to 5.3.0 as well as version 4.29.0, applications that specify different validation strategies for different content typ...
How severe is CVE-2025-32442?
CVE-2025-32442 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-32442?
Check the references section above for vendor advisories and patch information. Affected products include: Fastify Fastify.