CVE-2026-25223
Validation Bypass in Fastify Body Parsing via Content-Type Header
Publication date: 2026-02-03
Last updated on: 2026-02-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fastify | fastify | to 5.7.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-436 | Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Fastify, a Node.js web framework, prior to version 5.7.2. It allows attackers to bypass request body validation by manipulating the Content-Type header. Specifically, by appending a tab character followed by arbitrary content to the Content-Type header, the validation schemas that are supposed to check the request body can be completely circumvented. Despite this bypass, the server still processes the body as if it were the original content type.
How can this vulnerability impact me? :
This vulnerability can lead to attackers sending malicious or malformed data to the server without being detected by the validation mechanisms. Since the validation is bypassed, the server may process harmful input, potentially leading to integrity issues. According to the CVSS score, the impact is high on integrity but does not affect confidentiality or availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Fastify to version 5.7.2 or later, where the validation bypass issue has been patched.