{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33806", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-03-23T19:48:48.715Z", "datePublished": "2026-04-15T00:14:02.376Z", "dateUpdated": "2026-04-15T00:14:02.376Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-04-15T00:14:02.376Z"}, "descriptions": [{"lang": "en", "value": "Impact:\n\nFastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped.\n\nThis is a regression introduced in fastify >= 5.3.2 by the fix for CVE-2025-32442\n\nPatches:\n\nUpgrade to fastify v5.8.5 or later.\n\nWorkarounds:\n\nNone. Upgrade to the patched version.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Impact:\n\nFastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped.\n\nThis is a regression introduced in fastify >= 5.3.2 by the fix for CVE-2025-32442\n\nPatches:\n\nUpgrade to fastify v5.8.5 or later.\n\nWorkarounds:\n\nNone. Upgrade to the patched version."}]}], "affected": [{"vendor": "fastify", "product": "fastify", "defaultStatus": "unaffected", "versions": [{"versionType": "semver", "status": "affected", "version": "5.3.2", "lessThan": "5.8.5"}, {"versionType": "semver", "status": "unaffected", "version": "5.8.5"}], "packageURL": "pkg:npm/fastify"}], "references": [{"url": "https://github.com/fastify/fastify/security/advisories/GHSA-mg2h-6x62-wpwc"}, {"url": "https://cna.openjsf.org/security-advisories.html"}], "credits": [{"lang": "en", "type": "remediation developer", "value": "mcollina"}, {"lang": "en", "type": "remediation reviewer", "value": "climba03003"}, {"lang": "en", "type": "remediation reviewer", "value": "jsumners"}, {"lang": "en", "type": "remediation reviewer", "value": "UlisesGascon"}, {"lang": "en", "type": "reporter", "value": "Vyntral"}], "title": "fastify vulnerable to Body Schema Validation Bypass via Leading Space in Content-Type Header", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1287", "lang": "en", "description": "CWE-1287: Improper Validation of Specified Type of Input", "type": "CWE"}]}], "x_generator": {"engine": "cve-kit 1.0.0"}}}}

{}

{}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.3.2,5.8.5)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "5.8.5"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "fastify", "source": "cna", "vendor": "fastify"}, "product": "fastify", "vendor": "fastify"}], "analysis": {"en": {"generated_at": "2026-04-15T03:21:12.469138+00:00", "value": {"mitigation_remediation": ["Upgrade Fastify to version\u00a05.8.5\u00a0or a later release to remove the regression.", "Add a middleware that trims leading and trailing whitespace from the Content\u2011Type header before routing, ensuring the validation logic is applied.", "Apply additional schema validation or data sanitization at the application layer for all incoming requests to guard against altered content types."], "summary": {"action": "Patch Update", "impact": "Schema Validation Bypass via Content-Type Header"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Fastify framework (fastify:fastify) in any application using content\u2011type specific body validation. The regression is present in all releases from 5.3.2 through 5.8.4; versions 5.8.5 and later contain the fix.", "description_and_impact": "Applications built with Fastify that rely on schema.body.content to validate request bodies are vulnerable because inserting a single leading space in the Content\u2011Type header causes the library to skip body validation entirely. The request body is still parsed, but the validation logic that would normally enforce the declared schema is bypassed, allowing attackers to send malformed or malicious data that could otherwise be rejected. This flaw stems from a regression introduced in Fastify versions starting at 5.3.2 and is tied to a previous advisory (CVE\u20112025\u201132442).", "risk_and_exploitability": "The flaw carries a CVSS score of 7.5, indicating moderate\u2011to\u2011high severity. No EPSS score is available and the issue has not been listed in the CISA KEV catalog, suggesting that exploitation is not yet widespread. Attackers would need to send crafted HTTP requests with a header that includes a leading space, which is a straightforward capability for anyone capable of tampering with outbound traffic. Once bypassed, the payload can be used to inject unexpected data into the application, potentially leading to further downstream security issues depending on how the data is processed."}}}}, "created": "2026-04-15T13:48:23.608698+00:00", "updated": "2026-04-15T13:49:14.872843+00:00", "vendors": ["fastify", "fastify$PRODUCT$fastify"]}