CVE-2026-25223

HIGH

Fastify < 5.7.2 - Interpretation Conflict

Title source: rule

Description

Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type. This issue has been patched in version 5.7.2.

References (6)

[Vendor Advisory, Mitigation] https://github.com/fastify/fastify/security/advisories/GHSA-jx2c-rxcm-jvmq

[Patch] https://github.com/fastify/fastify/commit/32d7b6add39ddf082d92579a58bea7018c5ac821

[Product, Technical Description] https://fastify.dev/docs/latest/Reference/Validation-and-Serialization

[Product] https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/content-type-parser.js#L125

View Writeup ZIP pw:eip

[Product] https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/validation.js#L272

[Permissions Required] https://hackerone.com/reports/3464114

Scores

CVSS v3 7.5

EPSS 0.0002

EPSS Percentile 5.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-436

Status published

Products (2)

fastify/fastify < 5.7.2

npm/fastify 0 - 5.7.2npm

Published Feb 03, 2026

Tracked Since Feb 18, 2026