CVSS Score: 5.3 Published: 2026-03-05 Full Report: https://cvereports.com/reports/CVE-2026-3419
Fastify, a high-performance web framework for Node.js, contains a validation bypass vulnerability in its Content-Type header parsing logic. Due to an incomplete regular expression in lib/content-type.js, the framework fails to enforce the end-of-string anchor ($) when validating media subtypes. This omission allows attackers to supply malformed Content-Type headers containing illegal trailing characters (e.g., application/json garbage), which Fastify incorrectly accepts as valid. This behavior violates RFC 9110 §8.3.1 and can lead to parser confusion where malicious payloads are routed to incorrect content parsers, potentially bypassing security controls or triggering unexpected application behavior.
Fastify versions prior to 5.8.1 incorrectly validate Content-Type headers due to a missing regex anchor. Attackers can append arbitrary garbage to media types (e.g., application/json<script>) to bypass validation logic while still triggering JSON parsing.
- CWE ID: CWE-185
- CWE Name: Incorrect Regular Expression
- CVSS v3.1: 5.3 (Medium)
- Attack Vector: Network
- Impact: Validation Bypass
- Status: Patched
- Fastify Framework (Node.js)
- Fastify: < 5.8.1 (Fixed in:
5.8.1)
- Update Fastify to version 5.8.1 or higher immediately.
- Audit custom content type parsers for similar regex anchoring issues.
Remediation Steps:
- Check your
package.jsonfor thefastifydependency. - Run
npm install fastify@latestoryarn upgrade fastifyto pull version 5.8.1. - Verify the installed version using
npm list fastify. - If you define custom parsers via
fastify.addContentTypeParser, review your regexes to ensure they start with^and end with$.
Generated by CVEReports - Automated Vulnerability Intelligence