npm package
fastify
pkg:npm/fastify
Vulnerabilities (10)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-33806 | Hig | 7.5 | >= 5.3.2, < 5.8.5 | 5.8.5 | Apr 15, 2026 | Impact: Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped. This is a regression introduc | |
| CVE-2026-3635 | Med | 6.1 | < 5.8.3 | 5.8.3 | Mar 23, 2026 | Summary When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any conne | |
| CVE-2026-3419 | — | >= 5.7.2, < 5.8.1 | 5.8.1 | Mar 6, 2026 | Fastify incorrectly accepts malformed `Content-Type` headers containing trailing characters after the subtype token, in violation of RFC 9110 §8.3.1(https://httpwg.org/specs/rfc9110.html#field.content-type). For example, a request sent with Content-Type: application/json garbage | ||
| CVE-2026-25223 | — | < 5.7.2 | 5.7.2 | Feb 3, 2026 | Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\t) followed by | ||
| CVE-2026-25224 | — | < 5.7.3 | 5.7.3 | Feb 3, 2026 | Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a We | ||
| CVE-2025-32442 | — | >= 5.0.0, < 5.3.2 | 5.3.2 | Apr 18, 2025 | Fastify is a fast and low overhead web framework, for Node.js. In versions 5.0.0 to 5.3.0 as well as version 4.29.0, applications that specify different validation strategies for different content types have a possibility to bypass validation by providing a _slightly altered_ con | ||
| CVE-2022-41919 | — | >= 4.0.0, < 4.10.2 | 4.10.2 | Nov 22, 2022 | Fastify is a web framework with minimal overhead and plugin architecture. The attacker can use the incorrect `Content-Type` to bypass the `Pre-Flight` checking of `fetch`. `fetch()` requests with Content-Type’s essence as "application/x-www-form-urlencoded", "multipart/form-data" | ||
| CVE-2022-39288 | — | >= 4.0.0, < 4.8.1 | 4.8.1 | Oct 10, 2022 | fastify is a fast and low overhead web framework, for Node.js. Affected versions of fastify are subject to a denial of service via malicious use of the Content-Type header. An attacker can send an invalid Content-Type header that can cause the application to crash. This issue has | ||
| CVE-2020-8192 | — | < 2.15.1 | 2.15.1 | Jul 30, 2020 | A denial of service vulnerability exists in Fastify v2.14.1 and v3.0.0-rc.4 that allows a malicious user to trigger resource exhaustion (when the allErrors option is used) with specially crafted schemas. | ||
| CVE-2018-3711 | — | < 0.38.0 | 0.38.0 | Jun 7, 2018 | Fastify node module before 0.38.0 is vulnerable to a denial-of-service attack by sending a request with "Content-Type: application/json" and a very large payload. |
- affected >= 5.3.2, < 5.8.5fixed 5.8.5
Impact: Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped. This is a regression introduc
- affected < 5.8.3fixed 5.8.3
Summary When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any conne
- CVE-2026-3419Mar 6, 2026affected >= 5.7.2, < 5.8.1fixed 5.8.1
Fastify incorrectly accepts malformed `Content-Type` headers containing trailing characters after the subtype token, in violation of RFC 9110 §8.3.1(https://httpwg.org/specs/rfc9110.html#field.content-type). For example, a request sent with Content-Type: application/json garbage
- CVE-2026-25223Feb 3, 2026affected < 5.7.2fixed 5.7.2
Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\t) followed by
- CVE-2026-25224Feb 3, 2026affected < 5.7.3fixed 5.7.3
Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a We
- CVE-2025-32442Apr 18, 2025affected >= 5.0.0, < 5.3.2fixed 5.3.2
Fastify is a fast and low overhead web framework, for Node.js. In versions 5.0.0 to 5.3.0 as well as version 4.29.0, applications that specify different validation strategies for different content types have a possibility to bypass validation by providing a _slightly altered_ con
- CVE-2022-41919Nov 22, 2022affected >= 4.0.0, < 4.10.2fixed 4.10.2
Fastify is a web framework with minimal overhead and plugin architecture. The attacker can use the incorrect `Content-Type` to bypass the `Pre-Flight` checking of `fetch`. `fetch()` requests with Content-Type’s essence as "application/x-www-form-urlencoded", "multipart/form-data"
- CVE-2022-39288Oct 10, 2022affected >= 4.0.0, < 4.8.1fixed 4.8.1
fastify is a fast and low overhead web framework, for Node.js. Affected versions of fastify are subject to a denial of service via malicious use of the Content-Type header. An attacker can send an invalid Content-Type header that can cause the application to crash. This issue has
- CVE-2020-8192Jul 30, 2020affected < 2.15.1fixed 2.15.1
A denial of service vulnerability exists in Fastify v2.14.1 and v3.0.0-rc.4 that allows a malicious user to trigger resource exhaustion (when the allErrors option is used) with specially crafted schemas.
- CVE-2018-3711Jun 7, 2018affected < 0.38.0fixed 0.38.0
Fastify node module before 0.38.0 is vulnerable to a denial-of-service attack by sending a request with "Content-Type: application/json" and a very large payload.