High severity7.5NVD Advisory· Published Apr 15, 2026· Updated Apr 17, 2026

CVE-2026-33806

Description

Impact:

Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped.

This is a regression introduced in fastify >= 5.3.2 by the fix for CVE-2025-32442

Patches:

Upgrade to fastify v5.8.5 or later.

Workarounds:

None. Upgrade to the patched version.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
fastifynpm	>= 5.3.2, < 5.8.5	5.8.5

Affected products

Fastify/Fastify
cpe:2.3:a:fastify:fastify:*:*:*:*:*:node.js:*:*
Range: >=5.3.2,<5.8.5

Patches

f3d2bcb3963c

fix: treat space as a delimiter in content-type parsing (#6064)

https://github.com/fastify/fastifyMatteo CollinaApr 18, 2025via ghsa

commit

2 files changed · +32 −16

lib/validation.js+1 −1 modified

@@ -261,7 +261,7 @@ function wrapValidationError (result, dataVar, schemaErrorFormatter) {
  */
 function getEssenceMediaType (header) {
   if (!header) return ''
-  return header.split(';', 1)[0].trim().toLowerCase()
+  return header.split(/[ ;]/, 1)[0].trim().toLowerCase()
 }
 
 module.exports = {

test/schema-validation.test.js+31 −15 modified

@@ -2,6 +2,7 @@
 
 const { test } = require('tap')
 const Fastify = require('..')
+const { request } = require('undici')
 
 const AJV = require('ajv')
 const Schema = require('fluent-json-schema')
@@ -1342,7 +1343,7 @@ test('Schema validation when no content type is provided', async t => {
 })
 
 test('Schema validation will not be bypass by different content type', async t => {
-  t.plan(8)
+  t.plan(10)
 
   const fastify = Fastify()
 
@@ -1365,58 +1366,73 @@ test('Schema validation will not be bypass by different content type', async t =
     }
   }, async () => 'ok')
 
-  await fastify.ready()
+  await fastify.listen({ port: 0 })
+  t.teardown(() => fastify.close())
+  const address = fastify.listeningOrigin
 
-  const correct1 = await fastify.inject({
+  const correct1 = await request(address, {
     method: 'POST',
     url: '/',
     headers: {
       'content-type': 'application/json'
     },
-    body: { foo: 'string' }
+    body: JSON.stringify({ foo: 'string' })
   })
   t.equal(correct1.statusCode, 200)
+  await correct1.body.dump()
 
-  const correct2 = await fastify.inject({
+  const correct2 = await request(address, {
     method: 'POST',
     url: '/',
     headers: {
       'content-type': 'application/json; charset=utf-8'
     },
-    body: { foo: 'string' }
+    body: JSON.stringify({ foo: 'string' })
   })
   t.equal(correct2.statusCode, 200)
+  await correct2.body.dump()
 
-  const invalid1 = await fastify.inject({
+  const invalid1 = await request(address, {
     method: 'POST',
     url: '/',
     headers: {
       'content-type': 'application/json ;'
     },
-    body: { invalid: 'string' }
+    body: JSON.stringify({ invalid: 'string' })
   })
   t.equal(invalid1.statusCode, 400)
-  t.equal(invalid1.json().code, 'FST_ERR_VALIDATION')
+  t.equal((await invalid1.body.json()).code, 'FST_ERR_VALIDATION')
 
-  const invalid2 = await fastify.inject({
+  const invalid2 = await request(address, {
     method: 'POST',
     url: '/',
     headers: {
       'content-type': 'ApPlIcAtIoN/JsOn;'
     },
-    body: { invalid: 'string' }
+    body: JSON.stringify({ invalid: 'string' })
   })
   t.equal(invalid2.statusCode, 400)
-  t.equal(invalid2.json().code, 'FST_ERR_VALIDATION')
+  t.equal((await invalid2.body.json()).code, 'FST_ERR_VALIDATION')
 
-  const invalid3 = await fastify.inject({
+  const invalid3 = await request(address, {
     method: 'POST',
     url: '/',
     headers: {
       'content-type': 'ApPlIcAtIoN/JsOn ;'
     },
-    body: { invalid: 'string' }
+    body: JSON.stringify({ invalid: 'string' })
   })
   t.equal(invalid3.statusCode, 400)
-  t.equal(invalid3.json().code, 'FST_ERR_VALIDATION')
+  t.equal((await invalid3.body.json()).code, 'FST_ERR_VALIDATION')
+
+  const invalid4 = await request(address, {
+    method: 'POST',
+    url: '/',
+    headers: {
+      'content-type': 'ApPlIcAtIoN/JsOn foo;'
+    },
+    body: JSON.stringify({ invalid: 'string' })
+  })
+  t.equal(invalid4.statusCode, 400)
+  t.equal((await invalid4.body.json()).code, 'FST_ERR_VALIDATION')
 })

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

cna.openjsf.org/security-advisories.htmlnvdVendor AdvisoryWEB
github.com/advisories/GHSA-247c-9743-5963ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-32442ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-33806ghsaADVISORY
github.com/fastify/fastify/commit/f3d2bcb3963cd570a582e5d39aab01a9ae692fe4ghsaWEB
github.com/fastify/fastify/releases/tag/v5.8.5ghsaWEB
github.com/fastify/fastify/security/advisories/GHSA-247c-9743-5963ghsaWEB
github.com/fastify/fastify/security/advisories/GHSA-mg2h-6x62-wpwcnvdNot ApplicableWEB

News mentions

No linked articles in our index yet.

Severity

HighCVSS v3.1

7.5/ 10

Attack vector: Network
Complexity: Low
Privileges: None
User interaction: None
Scope: Unchanged
Confidentiality: None
Integrity: High
Availability: None

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

Probability of exploitation in the next 30 days.

0.10%

VYPR risk score

Composite of severity, exploitation, and reach.

0.42medium

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000

Weaknesses

CWE-1287
Improper Validation of Specified Type of Input

CVE ID

CVE-2026-33806

Source code

github.com/fastify/fastify

Credits

V
Vyntral
reporter
C
climba03003
remediation reviewer
C
climba03003
remediation_reviewer · ghsa
J
jsumners
remediation reviewer
J
jsumners
remediation_reviewer · ghsa
M
mcollina
remediation developer
M
mcollina
remediation_developer · ghsa
U
UlisesGascon
remediation reviewer
U
UlisesGascon
remediation_reviewer · ghsa