VYPR

Fastify

by Fastify

npm: fastify

Source repositories

CVEs (9)

  • CVE-2026-33806HigApr 15, 2026
    risk 0.42cvss 7.5epss 0.00

    Impact: Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped. This is a regression…

  • CVE-2026-3635MedMar 23, 2026
    risk 0.33cvss 6.1epss 0.00

    Summary When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any…

  • CVE-2026-3419Mar 6, 2026
    risk 0.00cvss epss 0.00

    Fastify incorrectly accepts malformed `Content-Type` headers containing trailing characters after the subtype token, in violation of RFC 9110 §8.3.1(https://httpwg.org/specs/rfc9110.html#field.content-type). For example, a request sent with Content-Type: application/json…

  • CVE-2026-25223Feb 3, 2026
    risk 0.00cvss epss 0.01

    Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\t) followed…

  • CVE-2026-25224Feb 3, 2026
    risk 0.00cvss epss 0.00

    Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a…

  • CVE-2025-32442Apr 18, 2025
    risk 0.00cvss epss 0.01

    Fastify is a fast and low overhead web framework, for Node.js. In versions 5.0.0 to 5.3.0 as well as version 4.29.0, applications that specify different validation strategies for different content types have a possibility to bypass validation by providing a _slightly altered_…

  • CVE-2022-41919Nov 22, 2022
    risk 0.00cvss epss 0.00

    Fastify is a web framework with minimal overhead and plugin architecture. The attacker can use the incorrect `Content-Type` to bypass the `Pre-Flight` checking of `fetch`. `fetch()` requests with Content-Type’s essence as "application/x-www-form-urlencoded",…

  • CVE-2022-39288Oct 10, 2022
    risk 0.00cvss epss 0.59

    fastify is a fast and low overhead web framework, for Node.js. Affected versions of fastify are subject to a denial of service via malicious use of the Content-Type header. An attacker can send an invalid Content-Type header that can cause the application to crash. This issue…

  • CVE-2021-29624May 19, 2021
    risk 0.00cvss epss 0.01

    fastify-csrf is an open-source plugin helps developers protect their Fastify server against CSRF attacks. Versions of fastify-csrf prior to 3.1.0 have a "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform…