QwikSec

Security Database

CVE

CWE

Training

CVE-2026-25223

Published: Feb 3, 2026

Modified: Feb 4, 2026

PUBLISHED

CVSS v3.1

7.5

HIGH

Description

Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type. This issue has been patched in version 5.7.2.

Vendor	Product	Versions
fastify	fastify	affected `< 5.7.2`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

References

https://github.com/fastify/fastify/security/advisories/GHSA-jx2c-rxcm-jvmq

x_refsource_CONFIRM

https://github.com/fastify/fastify/commit/32d7b6add39ddf082d92579a58bea7018c5ac821

x_refsource_MISC

https://hackerone.com/reports/3464114

x_refsource_MISC

https://fastify.dev/docs/latest/Reference/Validation-and-Serialization

x_refsource_MISC

https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/content-type-parser.js#L125

x_refsource_MISC

https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/validation.js#L272

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.