Description
Fastify incorrectly accepts malformed `Content-Type` headers containing trailing characters after the subtype token, in violation of RFC 9110 §8.3.1(https://httpwg.org/specs/rfc9110.html#field.content-type). For example, a request sent with Content-Type: application/json garbage passes validation and is processed normally, rather than being rejected with 415 Unsupported Media Type.

When regex-based content-type parsers are in use (a documented Fastify feature), the malformed value is matched against registered parsers using the full string including the trailing garbage. This means a request with an invalid content-type may be routed to and processed by a parser it should never have reached.

Impact:
An attacker can send requests with RFC-invalid Content-Type headers that bypass validity checks, reach content-type parser matching, and be processed by the server. Requests that should be rejected at the validation stage are instead handled as if the content-type were valid.

Workarounds:
Deploy a WAF rule to protect against this

Fix:

The fix is available starting with v5.8.1.
Published: 2026-03-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Bypass Content-Type Validation
Action: Apply Patch
AI Analysis

Impact

Fastify implements a regex-based validator for the Content-Type header that is intended to enforce RFC 9110 §8.3.1. In this CVE, the validator incorrectly accepts headers that contain trailing characters after the subtype token, such as Content-Type: application/json garbage, because the end anchor in the regular expression is missing. As a result, requests whose media types are RFC-invalid are treated as valid by Fastify’s parser and are routed to the associated content-type parser. This flaw is categorized as CWE‑185 and CWE‑625, and allows an attacker to bypass the server’s media‑type validation and potentially cause malicious payloads to be processed under the wrong parser.

Affected Systems

The vulnerability affects the Fastify framework distributed under the npm package fastify. All released versions prior to 5.8.1 are susceptible, as the patch was introduced in v5.8.1. No specific operating systems or Node.js version constraints are listed, but the bug exists within the Fastify codebase regardless of deployment environment.

Risk and Exploitability

With a CVSS v3 base score of 5.3, the flaw is considered moderate severity. The EPSS score is under 1%, indicating a low probability that attackers are actively exploiting it at present. The vulnerability is not listed in the CISA KEV catalog. An attacker can trigger the issue by sending an HTTP request with a Content-Type header that includes trailing characters beyond the acceptable subtype token; the server will accept the header, route the request to the parser, and process the payload as if it were compliant. Because the flaw only allows bypass of validation without direct code execution, the risk is limited to potential downstream effects such as injection of malformed data, but it remains exploitable in environments that rely on strict Content-Type validation for security.

Generated by OpenCVE AI on April 16, 2026 at 11:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Fastify to version v5.8.1 or later to incorporate the patched Content-Type validation.
  • If regex-based content-type parsers are configured, review or disable them so that malformed headers are not processed by untrusted parsers.
  • Deploy a WAF rule or equivalent traffic filter to block Content-Type headers that contain trailing characters after the subtype token.
  • Monitor application logs for unexpected Content-Type parsing or malformed header traffic and apply additional filtering rules as needed.

Generated by OpenCVE AI on April 16, 2026 at 11:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-573f-x89g-hqp9 Fastify's Missing End Anchor in "subtypeNameReg" Allows Malformed Content-Types to Pass Validation
History

Wed, 18 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:fastify:fastify:*:*:*:*:*:node.js:*:*

Mon, 09 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Fastify
Fastify fastify
Vendors & Products Fastify
Fastify fastify

Sat, 07 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-625
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 06 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description Fastify incorrectly accepts malformed `Content-Type` headers containing trailing characters after the subtype token, in violation of RFC 9110 §8.3.1(https://httpwg.org/specs/rfc9110.html#field.content-type). For example, a request sent with Content-Type: application/json garbage passes validation and is processed normally, rather than being rejected with 415 Unsupported Media Type. When regex-based content-type parsers are in use (a documented Fastify feature), the malformed value is matched against registered parsers using the full string including the trailing garbage. This means a request with an invalid content-type may be routed to and processed by a parser it should never have reached. Impact: An attacker can send requests with RFC-invalid Content-Type headers that bypass validity checks, reach content-type parser matching, and be processed by the server. Requests that should be rejected at the validation stage are instead handled as if the content-type were valid. Workarounds: Deploy a WAF rule to protect against this Fix: The fix is available starting with v5.8.1.
Title Fastify's Missing End Anchor in "subtypeNameReg" Allows Malformed Content-Types to Pass Validation
Weaknesses CWE-185
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Fastify Fastify
cve-icon MITRE

Status: PUBLISHED

Assigner: openjs

Published:

Updated: 2026-03-09T14:55:21.011Z

Reserved: 2026-03-01T18:56:49.613Z

Link: CVE-2026-3419

cve-icon Vulnrichment

Updated: 2026-03-09T14:55:17.583Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T18:16:22.213

Modified: 2026-03-18T19:11:46.967

Link: CVE-2026-3419

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-06T17:50:58Z

Links: CVE-2026-3419 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:30:15Z

Weaknesses