CVE-2025-32442 – fastify

Package

Manager: npm
Name: fastify
Vulnerable Version: >=5.0.0 <5.3.2 || =4.29.0 || >=4.29.0 <4.29.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00089 pctl0.26336

Details

Fastify vulnerable to invalid content-type parsing, which could lead to validation bypass ### Impact In applications that specify different validation strategies for different content types, it's possible to bypass the validation by providing a _slightly altered_ content type such as with different casing or altered whitespacing before `;`. Users using the the following pattern are affected: ```js fastify.post('/', { handler(request, reply) { reply.code(200).send(request.body) }, schema: { body: { content: { 'application/json': { schema: { type: 'object', properties: { 'foo': { type: 'string', } }, required: ['foo'] } }, } } } }) ``` User using the following pattern are **not** affected: ```js fastify.post('/', { handler(request, reply) { reply.code(200).send(request.body) }, schema: { body: { type: 'object', properties: { 'foo': { type: 'string', } }, required: ['foo'] } } }) ``` ### Patches This was patched in v5.3.1, but unfortunately it did not cover all problems. This has been fully patched in v5.3.2. Version v4.9.0 was also affected by this issue. This has been fully patched in v4.9.1. ### Workarounds Do not specify multiple content types in the schema. ### References _Are there any links users can visit to find out more?_ https://hackerone.com/reports/3087928

Metadata

Created: 2025-04-18T15:02:41Z
Modified: 2025-05-29T21:04:54Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-mg2h-6x62-wpwc/GHSA-mg2h-6x62-wpwc.json
CWE IDs: ["CWE-1287"]
Alternative ID: GHSA-mg2h-6x62-wpwc
Finding: F184
Auto approve: 1