High severityNVD Advisory· Published Apr 18, 2025· Updated Aug 22, 2025
Fastify vulnerable to invalid content-type parsing, which could lead to validation bypass
CVE-2025-32442
Description
Fastify is a fast and low overhead web framework, for Node.js. In versions 5.0.0 to 5.3.0 as well as version 4.29.0, applications that specify different validation strategies for different content types have a possibility to bypass validation by providing a _slightly altered_ content type such as with different casing or altered whitespacing before ;. This was patched in v5.3.1, but the initial patch did not cover all problems. This has been fully patched in v5.3.2 and v4.29.1. A workaround involves not specifying individual content types in the schema.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
fastifynpm | >= 5.0.0, < 5.3.2 | 5.3.2 |
fastifynpm | >= 4.29.0, < 4.29.1 | 4.29.1 |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-mg2h-6x62-wpwcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-32442ghsaADVISORY
- github.com/fastify/fastify/commit/436da4c06dfbbb8c24adee3a64de0c51e4f47418ghsax_refsource_MISCWEB
- github.com/fastify/fastify/commit/f3d2bcb3963cd570a582e5d39aab01a9ae692fe4ghsax_refsource_MISCWEB
- github.com/fastify/fastify/security/advisories/GHSA-mg2h-6x62-wpwcghsax_refsource_CONFIRMWEB
- hackerone.com/reports/3087928ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.