Description
Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type. This issue has been patched in version 5.7.2.
Published: 2026-02-03
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Validation Bypass
Action: Patch
AI Analysis

Impact

Fastify, a high‑performance Node.js web framework, suffers a validation bypass: by inserting a tab character after the MIME type in the Content‑Type header, an attacker can cause the framework to skip schema validation while still treating the payload as the declared type. This allows malicious data to reach downstream logic unfiltered, potentially leading to code injection or data corruption.

Affected Systems

The flaw impacts any Fastify installation older than version 5.7.2. Releases from 5.7.2 onward include a patch that corrects the parser. Users of exact releases prior to 5.7.2 should review their application dependencies to determine the presence of the affected module.

Risk and Exploitability

With a CVSS score of 7.5 the issue is high severity, yet the EPSS score of less than 1% indicates limited exploitation activity. The vulnerability is not catalogued in KEV. Attackers can exploit it by sending an HTTP request whose Content‑Type header contains a tab character; this requires no special authentication and is a low‑effort attack vector, after which arbitrary request bodies bypass validation.

Generated by OpenCVE AI on April 18, 2026 at 00:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Fastify to version 5.7.2 or newer, which eliminates the tab‑character flaw in the content‑type parser.
  • Validate incoming Content‑Type headers server side and reject any value containing non‑ASCII whitespace such as tabs before processing the body.
  • Apply application‑level input sanitization to all deserialized bodies and monitor logs for unexpected header anomalies to detect bypass attempts.

Generated by OpenCVE AI on April 18, 2026 at 00:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jx2c-rxcm-jvmq Fastify's Content-Type header tab character allows body validation bypass
History

Tue, 10 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:fastify:fastify:*:*:*:*:*:node.js:*:*

Wed, 04 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Fastify
Fastify fastify
Weaknesses CWE-179
Vendors & Products Fastify
Fastify fastify
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 03 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
Description Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type. This issue has been patched in version 5.7.2.
Title Fastify's Content-Type header tab character allows body validation bypass
Weaknesses CWE-436
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Fastify Fastify
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-04T21:18:16.693Z

Reserved: 2026-01-30T14:44:47.327Z

Link: CVE-2026-25223

cve-icon Vulnrichment

Updated: 2026-02-04T21:18:14.142Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-03T22:16:31.130

Modified: 2026-02-10T20:05:15.127

Link: CVE-2026-25223

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-03T21:21:40Z

Links: CVE-2026-25223 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:15:31Z

Weaknesses