CVE-2026-25223
Unknown Unknown - Not Provided
Validation Bypass in Fastify Body Parsing via Content-Type Header

Publication date: 2026-02-03

Last updated on: 2026-02-10

Assigner: GitHub, Inc.

Description
Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type. This issue has been patched in version 5.7.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-03
Last Modified
2026-02-10
Generated
2026-06-16
AI Q&A
2026-02-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25223
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fastify fastify to 5.7.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-436 Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Fastify, a Node.js web framework, prior to version 5.7.2. It allows attackers to bypass request body validation by manipulating the Content-Type header. Specifically, by appending a tab character followed by arbitrary content to the Content-Type header, the validation schemas that are supposed to check the request body can be completely circumvented. Despite this bypass, the server still processes the body as if it were the original content type.

Impact Analysis

This vulnerability can lead to attackers sending malicious or malformed data to the server without being detected by the validation mechanisms. Since the validation is bypassed, the server may process harmful input, potentially leading to integrity issues. According to the CVSS score, the impact is high on integrity but does not affect confidentiality or availability.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, upgrade Fastify to version 5.7.2 or later, where the validation bypass issue has been patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25223. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart