Vulnerability Description
Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type. This issue has been patched in version 5.7.2.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Fastify | Fastify | < 5.7.2 |
Related Weaknesses (CWE)
References
- https://fastify.dev/docs/latest/Reference/Validation-and-SerializationProductTechnical Description
- https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348Product
- https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348Product
- https://github.com/fastify/fastify/commit/32d7b6add39ddf082d92579a58bea7018c5ac8Patch
- https://github.com/fastify/fastify/security/advisories/GHSA-jx2c-rxcm-jvmqVendor AdvisoryMitigation
- https://hackerone.com/reports/3464114Permissions Required
FAQ
What is CVE-2026-25223?
CVE-2026-25223 is a vulnerability with a CVSS score of 7.5 (HIGH). Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Ty...
How severe is CVE-2026-25223?
CVE-2026-25223 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-25223?
Check the references section above for vendor advisories and patch information. Affected products include: Fastify Fastify.