CVE-2026-25223
Modified Modified - Updated After Analysis

Validation Bypass in Fastify Body Parsing via Content-Type Header

Vulnerability report for CVE-2026-25223, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-03

Last updated on: 2026-06-30

Assigner: GitHub, Inc.

Description

Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type. This issue has been patched in version 5.7.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-03
Last Modified
2026-06-30
Generated
2026-07-06
AI Q&A
2026-02-04
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
fastify fastify to 5.7.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-179 The product validates input before applying protection mechanisms that modify the input, which could allow an attacker to bypass the validation via dangerous inputs that only arise after the modification.
CWE-436 Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Fastify, a Node.js web framework, prior to version 5.7.2. It allows attackers to bypass request body validation by manipulating the Content-Type header. Specifically, by appending a tab character followed by arbitrary content to the Content-Type header, the validation schemas that are supposed to check the request body can be completely circumvented. Despite this bypass, the server still processes the body as if it were the original content type.

Impact Analysis

This vulnerability can lead to attackers sending malicious or malformed data to the server without being detected by the validation mechanisms. Since the validation is bypassed, the server may process harmful input, potentially leading to integrity issues. According to the CVSS score, the impact is high on integrity but does not affect confidentiality or availability.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, upgrade Fastify to version 5.7.2 or later, where the validation bypass issue has been patched.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25223. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart