CVE-2026-33806 - Vulnerability Details

- fastify vulnerable to Body Schema Validation Bypass via Leading Space in Content-Type Header

Description

Impact:

Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped.

This is a regression introduced in fastify >= 5.3.2 by the fix for CVE-2025-32442

Patches:

Upgrade to fastify v5.8.5 or later.

Workarounds:

None. Upgrade to the patched version.

Published: 2026-04-15

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Applications built with Fastify that rely on schema.body.content to validate request bodies are vulnerable because inserting a single leading space in the Content‑Type header causes the library to skip body validation entirely. The request body is still parsed, but the validation logic that would normally enforce the declared schema is bypassed, allowing attackers to send malformed or malicious data that could otherwise be rejected. This flaw stems from a regression introduced in Fastify versions starting at 5.3.2 and is tied to a previous advisory (CVE‑2025‑32442).

Affected Systems

The vulnerability affects the Fastify framework (fastify:fastify) in any application using content‑type specific body validation. The regression is present in all releases from 5.3.2 through 5.8.4; versions 5.8.5 and later contain the fix.

Risk and Exploitability

The flaw carries a CVSS score of 7.5, indicating moderate‑to‑high severity. No EPSS score is available and the issue has not been listed in the CISA KEV catalog, suggesting that exploitation is not yet widespread. Attackers would need to send crafted HTTP requests with a header that includes a leading space, which is a straightforward capability for anyone capable of tampering with outbound traffic. Once bypassed, the payload can be used to inject unexpected data into the application, potentially leading to further downstream security issues depending on how the data is processed.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

fastify

unaffected

Version	Status	Constraints
`5.3.2`	affected	< 5.8.5
`5.8.5`	unaffected	—

No data.

Vendor Product Confidence Versions

Fastify

100%

Version	Status	Scheme	Platform
`[5.3.2,5.8.5)`	affected	semver	—
`5.8.5`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Fastify to version 5.8.5 or a later release to remove the regression.
Add a middleware that trims leading and trailing whitespace from the Content‑Type header before routing, ensuring the validation logic is applied.
Apply additional schema validation or data sanitization at the application layer for all incoming requests to guard against altered content types.

Generated by OpenCVE AI on April 15, 2026 at 03:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-247c-9743-5963	Fastify has a Body Schema Validation Bypass via Leading Space in Content-Type Header

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00043.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://cna.openjsf.org/security-advisories.html
https://github.com/fastify/fastify/security/advisories/GHSA-mg2h-6x62-wpwc

History

Wed, 15 Apr 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 15 Apr 2026 14:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Fastify Fastify fastify
Vendors & Products		Fastify Fastify fastify

Wed, 15 Apr 2026 01:15:00 +0000

Type	Values Removed	Values Added
Description		Impact: Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped. This is a regression introduced in fastify >= 5.3.2 by the fix for CVE-2025-32442 Patches: Upgrade to fastify v5.8.5 or later. Workarounds: None. Upgrade to the patched version.
Title		fastify vulnerable to Body Schema Validation Bypass via Leading Space in Content-Type Header
Weaknesses		CWE-1287
References		https://cna.openjsf.org/security-advisories.html https://github.com/fastify/fastify/security/advisories/GHSA-mg2h-6x62-wpwc
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}`

Subscriptions

Fastify Fastify

MITRE

Status: PUBLISHED

Assigner: openjs

Published: 2026-04-15T00:14:02.376Z

Updated: 2026-04-15T16:13:42.961Z

Reserved: 2026-03-23T19:48:48.715Z

Link: CVE-2026-33806

Vulnrichment

Updated: 2026-04-15T14:02:18.744Z

NVD

Status : Received

Published: 2026-04-15T04:17:36.650

Modified: 2026-04-15T04:17:36.650

Link: CVE-2026-33806

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T13:49:14Z

Weaknesses

CWE-1287

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object