CVE-2026-33806
fastify vulnerable to Body Schema Validation Bypass via Leading Space in Content-Type Header
Impact:
Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped.
This is a regression introduced in fastify >= 5.3.2 by the fix for CVE-2025-32442
Patches:
Upgrade to fastify v5.8.5 or later.
Workarounds:
None. Upgrade to the patched version.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Productos afectados
fastify · fastify¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →