📦 chore(deps): Update dependency fastify to v5.8.5 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
fastify (source)	5.7.3 → 5.8.5

---

Fastify vulnerable to invalid content-type parsing, which could lead to validation bypass

CVE-2025-32442 / GHSA-mg2h-6x62-wpwc

More information

Details

Impact

In applications that specify different validation strategies for different content types, it's possible to bypass the validation by providing a slightly altered content type such as with different casing or altered whitespacing before ;.

Users using the the following pattern are affected:

fastify.post('/', {
  handler(request, reply) {
    reply.code(200).send(request.body)
  },
  schema: {
    body: {
      content: {
        'application/json': {
          schema: {
            type: 'object',
            properties: {
              'foo': {
                type: 'string',
              }
            },
            required: ['foo']
          }
        },
      }
    }
  }
})

User using the following pattern are not affected:

fastify.post('/', {
  handler(request, reply) {
    reply.code(200).send(request.body)
  },
  schema: {
    body: {
      type: 'object',
      properties: {
        'foo': {
          type: 'string',
        }
      },
      required: ['foo']
    }
  }
})

Patches

This was patched in v5.3.1, but unfortunately it did not cover all problems. This has been fully patched in v5.3.2.
Version v4.9.0 was also affected by this issue. This has been fully patched in v4.9.1.

Workarounds

Do not specify multiple content types in the schema.

References

Are there any links users can visit to find out more?

https://hackerone.com/reports/3087928

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

• https://github.com/fastify/fastify/security/advisories/GHSA-mg2h-6x62-wpwc
• https://github.com/fastify/fastify/commit/436da4c06dfbbb8c24adee3a64de0c51e4f47418
• https://nvd.nist.gov/vuln/detail/CVE-2025-32442
• https://hackerone.com/reports/3087928
• https://github.com/fastify/fastify/commit/f3d2bcb3963cd570a582e5d39aab01a9ae692fe4
• https://github.com/advisories/GHSA-mg2h-6x62-wpwc

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Fastify Vulnerable to DoS via Unbounded Memory Allocation in sendWebStream

CVE-2026-25224 / GHSA-mrq3-vjjr-p77c

More information

Details

Impact

A Denial of Service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation.

Patches

The issue is fixed in Fastify 5.7.3. Users should upgrade to 5.7.3 or later.

Workarounds

Avoid sending Web Streams from Fastify responses (e.g., ReadableStream or Response bodies). Use Node.js streams (stream.Readable) or buffered payloads instead until the project can upgrade.

References

• https://hackerone.com/reports/3524779

Severity

• CVSS Score: 3.7 / 10 (Low)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

References

• https://github.com/fastify/fastify/security/advisories/GHSA-mrq3-vjjr-p77c
• https://github.com/fastify/fastify/commit/eb11156396f6a5fedaceed0140aed2b7f026be37
• https://hackerone.com/reports/3524779
• https://nvd.nist.gov/vuln/detail/CVE-2026-25224
• https://github.com/advisories/GHSA-mrq3-vjjr-p77c

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Fastify's Content-Type header tab character allows body validation bypass

CVE-2026-25223 / GHSA-jx2c-rxcm-jvmq

More information

Details

Impact

A validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type.

For example, a request with Content-Type: application/json\ta will bypass JSON schema validation but still be parsed as JSON.

This vulnerability affects all Fastify users who rely on Content-Type-based body validation schemas to enforce data integrity or security constraints. The concrete impact depends on the handler implementation and the level of trust placed in the validated request body, but at the library level, this allows complete bypass of body validation for any handler using Content-Type-discriminated schemas.

This issue is a regression or missed edge case from the fix for a previously reported vulnerability.

Patches

This vulnerability has been patched in Fastify v5.7.2. All users should upgrade to this version or later immediately.

Workarounds

If upgrading is not immediately possible, user can implement a custom onRequest hook to reject requests containing tab characters in the Content-Type header:

fastify.addHook('onRequest', async (request, reply) => {
  const contentType = request.headers['content-type']
  if (contentType && contentType.includes('\t')) {
    reply.code(400).send({ error: 'Invalid Content-Type header' })
  }
})

Resources

• https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/validation.js#L272
• https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/content-type-parser.js#L125
• Fastify Validation and Serialization Documentation
• https://hackerone.com/reports/3464114

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

• https://github.com/fastify/fastify/security/advisories/GHSA-jx2c-rxcm-jvmq
• https://github.com/fastify/fastify/commit/32d7b6add39ddf082d92579a58bea7018c5ac821
• https://hackerone.com/reports/3464114
• https://fastify.dev/docs/latest/Reference/Validation-and-Serialization
• https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/content-type-parser.js#L125
• https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/validation.js#L272
• https://nvd.nist.gov/vuln/detail/CVE-2026-25223
• https://github.com/advisories/GHSA-jx2c-rxcm-jvmq

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Fastify's Missing End Anchor in "subtypeNameReg" Allows Malformed Content-Types to Pass Validation

CVE-2026-3419 / GHSA-573f-x89g-hqp9

More information

Details

Description

Fastify incorrectly accepts malformed Content-Type headers containing trailing characters after the subtype token, in violation of RFC 9110 §8.3.1. For example, a request sent with Content-Type: application/json garbage passes validation and is processed normally, rather than being rejected with 415 Unsupported Media Type.

When regex-based content-type parsers are in use (a documented Fastify feature), the malformed value is matched against registered parsers using the full string including the trailing garbage. This means a request with an invalid content-type may be routed to and processed by a parser it should never have reached.

Impact

An attacker can send requests with RFC-invalid Content-Type headers that bypass validity checks, reach content-type parser matching, and be processed by the server. Requests that should be rejected at the validation stage are instead handled as if the content-type were valid.

Workarounds

Deploy a WAF rule to protect against this

Fix

The fix is available starting with v5.8.1.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References

• https://github.com/fastify/fastify/security/advisories/GHSA-573f-x89g-hqp9
• https://github.com/fastify/fastify/commit/67f6c9b32cb3623d3c9470cc17ed830dd2f083d7
• https://httpwg.org/specs/rfc9110.html#field.content-type
• https://nvd.nist.gov/vuln/detail/CVE-2026-3419
• https://cna.openjsf.org/security-advisories.html
• https://github.com/advisories/GHSA-573f-x89g-hqp9
• https://www.cve.org/CVERecord?id=CVE-2026-3419

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

fastify: request.protocol and request.host Spoofable via X-Forwarded-Proto/Host from Untrusted Connections

CVE-2026-3635 / GHSA-444r-cwp2-x5xf

More information

Details

Summary

When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection — including connections from untrusted IPs. This allows an attacker connecting directly to Fastify (bypassing the proxy) to spoof both the protocol and host seen by the application.

Affected Versions

fastify <= 5.8.2

Impact

Applications using request.protocol or request.host for security decisions (HTTPS enforcement, secure cookie flags, CSRF origin checks, URL construction, host-based routing) are affected when trustProxy is configured with a restrictive trust function.

When trustProxy: true (trust everything), both host and protocol trust all forwarded headers — this is expected behavior. The vulnerability only manifests with restrictive trust configurations.

Severity

• CVSS Score: 6.1 / 10 (Medium)
• Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

References

• https://github.com/fastify/fastify/security/advisories/GHSA-444r-cwp2-x5xf
• https://nvd.nist.gov/vuln/detail/CVE-2026-3635
• https://cna.openjsf.org/security-advisories.html
• https://github.com/fastify/fastify/releases/tag/v5.8.3
• https://www.cve.org/CVERecord?id=CVE-2026-3635
• https://github.com/advisories/GHSA-444r-cwp2-x5xf

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Fastify has a Body Schema Validation Bypass via Leading Space in Content-Type Header

CVE-2026-33806 / GHSA-247c-9743-5963

More information

Details

Summary

A validation bypass vulnerability exists in Fastify v5.x where request body validation schemas specified via schema.body.content can be completely circumvented by prepending a single space character (\x20) to the Content-Type header. The body is still parsed correctly as JSON (or any other content type), but schema validation is entirely skipped.
This is a regression introduced by commit f3d2bcb (fix for CVE-2025-32442).

Details

The vulnerability is a parser-validator differential between two independent code paths that process the raw Content-Type header differently.
Parser path (lib/content-type.js, line ~67) applies trimStart() before processing:

const type = headerValue.slice(0, sepIdx).trimStart().toLowerCase()
// ' application/json' → trimStart() → 'application/json' → body is parsed ✓

Validator path (lib/validation.js, line 272) splits on /[ ;]/ before trimming:

function getEssenceMediaType(header) {
  if (!header) return ''
  return header.split(/[ ;]/, 1)[0].trim().toLowerCase()
}
// ' application/json'.split(/[ ;]/, 1) → ['']  (splits on the leading space!)
// ''.trim() → ''
// context[bodySchema][''] → undefined → NO validator found → validation skipped!

The ContentType class applies trimStart() before processing, so the parser correctly identifies application/json and parses the body. However, getEssenceMediaType splits on /[ ;]/ before trimming, so the leading space becomes a split point, producing an empty string. The validator looks up a schema for content-type "", finds nothing, and skips validation entirely.
Regression source: Commit f3d2bcb (April 18, 2025) changed the split delimiter from ';' to /[ ;]/ to fix CVE-2025-32442. The old code (header.split(';', 1)[0].trim()) was not vulnerable to this vector because .trim() would correctly handle the leading space. The new regex-based split introduced the regression.

PoC

const fastify = require('fastify')({ logger: false });

fastify.post('/transfer', {
  schema: {
    body: {
      content: {
        'application/json': {
          schema: {
            type: 'object',
            required: ['amount', 'recipient'],
            properties: {
              amount: { type: 'number', maximum: 1000 },
              recipient: { type: 'string', maxLength: 50 },
              admin: { type: 'boolean', enum: [false] }
            },
            additionalProperties: false
          }
        }
      }
    }
  }
}, async (request) => {
  return { processed: true, data: request.body };
});

(async () => {
  await fastify.ready();

  // BLOCKED — normal request with invalid payload
  const res1 = await fastify.inject({
    method: 'POST',
    url: '/transfer',
    headers: { 'content-type': 'application/json' },
    payload: JSON.stringify({ amount: 9999, recipient: 'EVIL', admin: true })
  });
  console.log('Normal:', res1.statusCode);
  // → 400 FST_ERR_VALIDATION

  // BYPASS — single leading space
  const res2 = await fastify.inject({
    method: 'POST',
    url: '/transfer',
    headers: { 'content-type': ' application/json' },
    payload: JSON.stringify({ amount: 9999, recipient: 'EVIL', admin: true })
  });
  console.log('Leading space:', res2.statusCode);
  // → 200 (validation bypassed!)
  console.log('Body:', res2.body);

  await fastify.close();
})();

Output:

Normal: 400
Leading space: 200
Body: {"processed":true,"data":{"amount":9999,"recipient":"EVIL","admin":true}}

Impact

Any Fastify application that relies on schema.body.content (per-content-type body validation) to enforce data integrity or security constraints is affected. An attacker can bypass all body validation by adding a single space before the Content-Type value. The attack requires no authentication and has zero complexity — it is a single-character modification to an HTTP header.
This vulnerability is distinct from all previously patched content-type bypasses:

CVE	Vector	Patched in 5.8.4?
CVE-2025-32442	Casing / semicolon whitespace	✅ Yes
CVE-2026-25223	Tab character (\t)	✅ Yes
CVE-2026-3419	Trailing garbage after subtype	✅ Yes
This finding	Leading space (\x20)	❌ No

Recommended fix — add trimStart() before the split in getEssenceMediaType:

function getEssenceMediaType(header) {
  if (!header) return ''
  return header.trimStart().split(/[ ;]/, 1)[0].trim().toLowerCase()
}

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

• https://github.com/fastify/fastify/security/advisories/GHSA-247c-9743-5963
• https://nvd.nist.gov/vuln/detail/CVE-2025-32442
• https://github.com/fastify/fastify/commit/f3d2bcb3963cd570a582e5d39aab01a9ae692fe4
• https://github.com/fastify/fastify/releases/tag/v5.8.5
• https://github.com/fastify/fastify/security/advisories/GHSA-mg2h-6x62-wpwc
• https://nvd.nist.gov/vuln/detail/CVE-2026-33806
• https://cna.openjsf.org/security-advisories.html
• https://github.com/advisories/GHSA-247c-9743-5963

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

fastify/fastify (fastify)

v5.8.5

Compare Source

⚠️ Security Release

This fixes CVE CVE-2026-33806 GHSA-247c-9743-5963.

What's Changed

• chore: Fix port parsing by @​jsumners in #​6603
• chore: upgrade to typescript v6.0.2 by @​Tony133 in #​6605
• fix: restore trustProxy function for number and string types, add null check for socketAddr by @​mcollina in #​6613
• ci: reduce cron scheduled workflows from daily/weekly to monthly by @​Fdawgs in #​6623
• chore: Bump pnpm/action-setup from 4.2.0 to 5.0.0 by @​dependabot[bot] in #​6629
• chore: Bump markdownlint-cli2 from 0.21.0 to 0.22.0 by @​dependabot[bot] in #​6632
• chore: Bump borp from 0.21.0 to 1.0.0 by @​dependabot[bot] in #​6633
• chore: Bump actions/dependency-review-action from 4.8.3 to 4.9.0 by @​dependabot[bot] in #​6630
• docs(ecosystem): add @​pompelmi/fastify-plugin by @​SonoTommy in #​6610

New Contributors

• @​SonoTommy made their first contribution in #​6610

Full Changelog: fastify/fastify@v5.8.4...v5.8.5

v5.8.4

Compare Source

Full Changelog: fastify/fastify@v5.8.3...v5.8.4

v5.8.3

Compare Source

⚠️ Security Release

This fixes CVE CVE-2026-3635 GHSA-444r-cwp2-x5xf.

What's Changed

• docs(readme): add @​Tony133 to plugin team by @​Tony133 in #​6565
• Updated Plugins-Guide.md; Changed "fastify" to "instance" during plugin registration to showcase that it's added as a child by @​kyrylchenko in #​6566
• test: use fastify.test in test case by @​climba03003 in #​6568
• docs: use fastify.example in documentation by @​climba03003 in #​6567
• docs: add common performance degradation guidance by @​maxpetrusenko in #​6520
• docs(server): fix camelCase anchor links in TOC by @​Deepvamja in #​6530
• ci(link-checker): fix root-relative links resolution by @​barba-rossa in #​6535
• docs: update syntax markdown, absolute paths and links by @​Tony133 in #​6569
• docs: clarify content-type parser/schema mismatch is outside threat model by @​mcollina in #​6537
• docs: fix incorrect code examples in Reply and Request reference by @​mahmoodhamdi in #​6582
• docs: replace redirected npm.im http-errors link by @​mcollina in #​6588
• types: Allow port to be null in request type definition by @​TristanBarlow in #​6589
• docs: update links by @​Tony133 in #​6593
• ci(lock-threads): use shared lock-threads workflow by @​Fdawgs in #​6592

New Contributors

• @​kyrylchenko made their first contribution in #​6566
• @​maxpetrusenko made their first contribution in #​6520
• @​Deepvamja made their first contribution in #​6530
• @​barba-rossa made their first contribution in #​6535
• @​mahmoodhamdi made their first contribution in #​6582
• @​TristanBarlow made their first contribution in #​6589

Full Changelog: fastify/fastify@v5.8.2...v5.8.3

v5.8.2

Compare Source

What's Changed

• docs(ecosystem): add @​yeliex/fastify-problem-details by @​yeliex in #​6546
• Revert "chore: upgrade borp to v1.0.0" by @​climba03003 in #​6564
• docs: document body validation with custom content type parsers by @​mcollina in #​6556
• docs(ecosystem): add fastify-file-router by @​bhouston in #​6441
• docs: add fastify-svelte-view to Ecosystem list by @​matths in #​6453
• fix: anchor keyValuePairsReg to prevent quadratic backtracking by @​mcollina in #​6558
• docs: added note on handling of invalid URLs in setNotFoundHandler by @​leftieFriele in #​5661
• docs(guides): update codemod links by @​OluchiEzeifedikwa in #​6479
• docs: add @​glidemq/fastify to community plugins by @​avifenesh in #​6560

New Contributors

• @​yeliex made their first contribution in #​6546
• @​matths made their first contribution in #​6453
• @​leftieFriele made their first contribution in #​5661
• @​OluchiEzeifedikwa made their first contribution in #​6479
• @​avifenesh made their first contribution in #​6560

Full Changelog: fastify/fastify@v5.8.1...v5.8.2

v5.8.1

Compare Source

⚠️ Security Release

Fixes "Missing End Anchor in "subtypeNameReg" Allows Malformed Content-Types to Pass Validation": GHSA-573f-x89g-hqp9.

CVE-2026-3419

Full Changelog: fastify/fastify@v5.8.0...v5.8.1

v5.8.0

Compare Source

What's Changed

• docs(request): add host security warning references by @​mcollina in #​6476
• docs: fix note style by @​Fdawgs in #​6487
• chore: rename deploy website ci by @​Eomm in #​6492
• chore: support pino v9 and v10 by @​mcollina in #​6496
• chore: update logger types and fix TODO comment by @​Tony133 in #​6470
• refactor(test-types): migrate dummy-plugin to FastifyPluginAsync by @​Tony133 in #​6472
• docs: fix markdown typo in README.md by @​droppingbeans in #​6491
• test: cover non-numeric content-length client error path by @​mcollina in #​6500
• ci: remove tests-checker workflow by @​Tony133 in #​6481
• ci: remove stale.yml file by @​Tony133 in #​6504
• docs(security): remove hackerone references; change note style by @​Fdawgs in #​6501
• chore: rename @​sinclair/typebox to typebox by @​Tony133 in #​6494
• ci(links-check): add external link checker using linkinator-action by @​umxr in #​6386
• chore: upgrade borp to v1.0.0 by @​Tony133 in #​6510
• docs: Add OpenJS CNA reference to SECURITY.md by @​mcollina in #​6516
• fix: avoid mutating shared routerOptions across instances by @​mcollina in #​6515
• fix(types): accept async route hooks in shorthand options by @​mcollina in #​6514
• docs: Improve shutdown lifecycle documentation by @​kibertoad in #​6517
• chore: remove unused tsconfig.eslint.json by @​mrazauskas in #​6524
• feat: First-class support for handler-level timeouts by @​kibertoad in #​6521
• docs(security): clarify insecureHTTPParser threat model scope by @​mcollina in #​6533
• chore(license): standardise license notice by @​Fdawgs in #​6511
• docs: clarify anyOf nullable coercion behavior with primitive types by @​slegarraga in #​6531
• fix: remove format placeholder from FST_ERR_CTP_INVALID_MEDIA_TYPE message by @​super-mcgin in #​6528
• docs(reference/hooks): fix note style by @​Fdawgs in #​6538
• chore: Bump lycheeverse/lychee-action from 2.7.0 to 2.8.0 by @​dependabot[bot] in #​6539
• chore: Bump actions/dependency-review-action from 4.8.2 to 4.8.3 by @​dependabot[bot] in #​6540
• chore: Bump markdownlint-cli2 from 0.20.0 to 0.21.0 by @​dependabot[bot] in #​6542
• ci: remove broken links and add ecosystem link validator by @​mcollina in #​6421
• ci(validate-ecoystem-links): add job level permission by @​Fdawgs in #​6545
• style: remove trailing whitespace by @​Fdawgs in #​6543

New Contributors

• @​droppingbeans made their first contribution in #​6491
• @​umxr made their first contribution in #​6386
• @​slegarraga made their first contribution in #​6531
• @​super-mcgin made their first contribution in #​6528

Full Changelog: fastify/fastify@v5.7.4...v5.8.0

v5.7.4

Compare Source

Full Changelog: fastify/fastify@v5.7.3...v5.7.4

---

Configuration

📅 Schedule: (in timezone America/New_York)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.