CVE-2026-3419
Received Received - Intake
Content-Type Validation Bypass in Fastify Enables Request Misrouting

Publication date: 2026-03-06

Last updated on: 2026-03-18

Assigner: openjs

Description
Fastify incorrectly accepts malformed `Content-Type` headers containing trailing characters after the subtype token, in violation of RFC 9110 Β§8.3.1(https://httpwg.org/specs/rfc9110.html#field.content-type). For example, a request sent with Content-Type: application/json garbage passes validation and is processed normally, rather than being rejected with 415 Unsupported Media Type. When regex-based content-type parsers are in use (a documented Fastify feature), the malformed value is matched against registered parsers using the full string including the trailing garbage. This means a request with an invalid content-type may be routed to and processed by a parser it should never have reached. Impact: An attacker can send requests with RFC-invalid Content-Type headers that bypass validity checks, reach content-type parser matching, and be processed by the server. Requests that should be rejected at the validation stage are instead handled as if the content-type were valid. Workarounds: Deploy a WAF rule to protect against this Fix: The fix is available starting with v5.8.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-06
Last Modified
2026-03-18
Generated
2026-06-16
AI Q&A
2026-03-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3419
EUVD
EUVD-2026-10056
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fastify fastify From 5.7.2 (inc) to 5.8.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-185 The product specifies a regular expression in a way that causes data to be improperly matched or compared.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-3419 is a moderate severity vulnerability in the Fastify web framework affecting versions from 5.7.2 up to 5.8.0. The issue arises because Fastify incorrectly accepts malformed Content-Type headers that contain trailing invalid characters after the subtype token, such as "application/json garbage". This behavior violates the HTTP specification RFC 9110 Β§8.3.1, which requires strict validation of Content-Type headers.'}, {'type': 'paragraph', 'content': 'Due to a missing end anchor in the regular expression used to validate Content-Type headers, these malformed headers pass validation and are processed normally instead of being rejected with a 415 Unsupported Media Type error. When regex-based content-type parsers are used, the entire malformed string, including the trailing garbage, is matched against registered parsers. This can cause requests with invalid Content-Type headers to be routed to and processed by inappropriate parsers.'}] [1, 3]

Impact Analysis

An attacker can exploit this vulnerability by sending requests with malformed Content-Type headers that bypass the usual validation checks. These requests, which should normally be rejected, are instead accepted and processed by the server.

This can lead to unintended processing of malformed or malicious data by content-type parsers that were not designed to handle such inputs, potentially causing unexpected behavior or low integrity impact on the server. Although there is no direct confidentiality or availability impact, the integrity of the processing can be compromised.

A workaround to mitigate this risk is to deploy a Web Application Firewall (WAF) rule that blocks malformed Content-Type headers until the official fix is applied.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring HTTP requests for malformed Content-Type headers that contain trailing invalid characters after the subtype token, such as "application/json garbage". Such headers violate RFC 9110 Β§8.3.1 and should normally be rejected with a 415 Unsupported Media Type response but are accepted due to the flaw.'}, {'type': 'paragraph', 'content': 'To detect this on your network or system, you can capture and inspect HTTP request headers for Content-Type values that do not strictly conform to the expected media type format. For example, you can use tools like tcpdump, Wireshark, or command-line utilities like curl combined with grep or awk to filter suspicious Content-Type headers.'}, {'type': 'list_item', 'content': "Use tcpdump to capture HTTP traffic and filter for Content-Type headers with trailing garbage: tcpdump -A -s 0 'tcp port 80' | grep -i 'Content-Type: '"}, {'type': 'list_item', 'content': "Use curl to send test requests with malformed Content-Type headers and observe server responses: curl -v -H 'Content-Type: application/json garbage' http://yourserver/"}, {'type': 'list_item', 'content': 'Use log analysis tools or scripts to scan web server logs for requests containing malformed Content-Type headers.'}] [1, 3]

Mitigation Strategies

Immediate mitigation steps include deploying a Web Application Firewall (WAF) rule to block or reject HTTP requests containing malformed Content-Type headers with trailing invalid characters. This can prevent such requests from reaching the vulnerable Fastify server.

Additionally, upgrading Fastify to version 5.8.1 or later is the definitive fix, as this version includes corrected regular expressions and enhanced validation logic that properly rejects malformed Content-Type headers in compliance with RFC 9110.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3419. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart