CVE-2025-32442
HIGHfastify 5.0.0-5.3.0 and 4.29.0 - Content-Type Validation Bypass via Altered Whitespace or Casing
Title source: llmDescription
Fastify is a fast and low overhead web framework, for Node.js. In versions 5.0.0 to 5.3.0 as well as version 4.29.0, applications that specify different validation strategies for different content types have a possibility to bypass validation by providing a _slightly altered_ content type such as with different casing or altered whitespacing before `;`. This was patched in v5.3.1, but the initial patch did not cover all problems. This has been fully patched in v5.3.2 and v4.29.1. A workaround involves not specifying individual content types in the schema.
References (4)
Core 4
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/fastify/fastify/security/advisories/GHSA-mg2h-6x62-wpwc
Patch x_refsource_misc
https://github.com/fastify/fastify/commit/436da4c06dfbbb8c24adee3a64de0c51e4f47418
Patch x_refsource_misc
https://github.com/fastify/fastify/commit/f3d2bcb3963cd570a582e5d39aab01a9ae692fe4
Permissions Required x_refsource_misc
https://hackerone.com/reports/3087928
Scores
CVSS v3
7.5
EPSS
0.0063
EPSS Percentile
45.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-1287
Status
published
Products (3)
fastify/fastify
4.29.0
fastify/fastify
5.0.0 - 5.3.2
npm/fastify
5.0.0 - 5.3.2npm
Published
Apr 18, 2025
Tracked Since
Feb 18, 2026