CVE-2025-32442

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-32442
Fastify is a fast and low overhead web framework, for Node.js. In versions 5.0.0 to 5.3.0 as well as version 4.9.0, applications that specify different validation strategies for different content types have a possibility to bypass validation by providing a _slightly altered_ content type such as with different casing or altered whitespacing before `;`. This was patched in v5.3.1, but the initial patch did not cover all problems. This has been fully patched in v5.3.2 and v4.9.1. A workaround involves not specifying individual content types in the schema.
CVSS

No CVSS.

References
Link Resource
https://github.com/fastify/fastify/commit/436da4c06dfbbb8c24adee3a64de0c51e4f47418 Patch
https://github.com/fastify/fastify/commit/f3d2bcb3963cd570a582e5d39aab01a9ae692fe4 Patch
https://github.com/fastify/fastify/security/advisories/GHSA-mg2h-6x62-wpwc Exploit Third Party Advisory
https://hackerone.com/reports/3087928 Permissions Required
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:fastify:fastify:*:*:*:*:*:node.js:*:*
cpe:2.3:a:fastify:fastify:4.29.0:*:*:*:*:node.js:*:*
History

24 Jun 2025, 18:14

Type Values Removed Values Added
References () https://hackerone.com/reports/3087928 - () https://hackerone.com/reports/3087928 - Permissions Required
References () https://github.com/fastify/fastify/commit/f3d2bcb3963cd570a582e5d39aab01a9ae692fe4 - () https://github.com/fastify/fastify/commit/f3d2bcb3963cd570a582e5d39aab01a9ae692fe4 - Patch
References () https://github.com/fastify/fastify/security/advisories/GHSA-mg2h-6x62-wpwc - () https://github.com/fastify/fastify/security/advisories/GHSA-mg2h-6x62-wpwc - Exploit, Third Party Advisory
References () https://github.com/fastify/fastify/commit/436da4c06dfbbb8c24adee3a64de0c51e4f47418 - () https://github.com/fastify/fastify/commit/436da4c06dfbbb8c24adee3a64de0c51e4f47418 - Patch
CPE cpe:2.3:a:fastify:fastify:*:*:*:*:*:node.js:*:*
cpe:2.3:a:fastify:fastify:4.29.0:*:*:*:*:node.js:*:*
First Time Fastify fastify
Fastify

28 Apr 2025, 18:15

Type Values Removed Values Added
Summary Fastify is a fast and low overhead web framework, for Node.js. In versions 5.0.0 to 5.3.0, applications that specify different validation strategies for different content types have a possibility to bypass validation by providing a _slightly altered_ content type such as with different casing or altered whitespacing before `;`. This was patched in v5.3.1, but the initial patch did not cover all problems. This has been fully patched in v5.3.2. A workaround involves not specifying individual content types in the schema. Fastify is a fast and low overhead web framework, for Node.js. In versions 5.0.0 to 5.3.0 as well as version 4.9.0, applications that specify different validation strategies for different content types have a possibility to bypass validation by providing a _slightly altered_ content type such as with different casing or altered whitespacing before `;`. This was patched in v5.3.1, but the initial patch did not cover all problems. This has been fully patched in v5.3.2 and v4.9.1. A workaround involves not specifying individual content types in the schema.

18 Apr 2025, 21:15

Type Values Removed Values Added
Summary Fastify is a fast and low overhead web framework, for Node.js. In versions 5.0.0 to 5.3.0, applications that specify different validation strategies for different content types have a possibility to bypass validation by providing a _slightly altered_ content type such as with different casing or altered whitespacing before `;`. This issue has been patched in version 5.3.1. A workaround involves not specifying individual content types in the schema. Fastify is a fast and low overhead web framework, for Node.js. In versions 5.0.0 to 5.3.0, applications that specify different validation strategies for different content types have a possibility to bypass validation by providing a _slightly altered_ content type such as with different casing or altered whitespacing before `;`. This was patched in v5.3.1, but the initial patch did not cover all problems. This has been fully patched in v5.3.2. A workaround involves not specifying individual content types in the schema.
CWE CWE-1287
References
  • () https://github.com/fastify/fastify/commit/f3d2bcb3963cd570a582e5d39aab01a9ae692fe4 -

18 Apr 2025, 16:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-04-18 16:15

Updated : 2025-06-24 18:14

NVD link : CVE-2025-32442

Mitre link : CVE-2025-32442

JSON object : View

Products Affected

fastify

  • fastify
CWE

No CWE.