CVE-2025-32442— Fastify vulnerable to invalid content-type parsing, which could lead to validation bypass
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-32442
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Fastify vulnerable to invalid content-type parsing, which could lead to validation bypass
Source: NVD (National Vulnerability Database)
Vulnerability Description
Fastify is a fast and low overhead web framework, for Node.js. In versions 5.0.0 to 5.3.0 as well as version 4.29.0, applications that specify different validation strategies for different content types have a possibility to bypass validation by providing a _slightly altered_ content type such as with different casing or altered whitespacing before `;`. This was patched in v5.3.1, but the initial patch did not cover all problems. This has been fully patched in v5.3.2 and v4.29.1. A workaround involves not specifying individual content types in the schema.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
CWE-1287
Source: NVD (National Vulnerability Database)
Vulnerability Title
Fastify 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Fastify是Fastify开源的一个 Web 框架。 Fastify 5.0.0版本至5.3.0版本存在安全漏洞,该漏洞源于内容类型验证可能被绕过。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2025-32442
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-32442
请登录查看更多情报信息。
- Merge commit from fork · fastify/fastify@436da4c · GitHubx_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2025-32442
IV. Related Vulnerabilities
Same product: fastify
- CVE-2026-33806
fastify vulnerable to Body Schema Validation Bypass via Lead - CVE-2026-3635
Fastify request.protocol and request.host spoofable via X-Fo - CVE-2026-3419
Fastify's Missing End Anchor in "subtypeNameReg" Allows Malf - CVE-2026-25223
Fastify's Content-Type header tab character allows body vali - CVE-2026-25224
Fastify Vulnerable to DoS via Unbounded Memory Allocation in
Same vendor: fastify
- CVE-2026-33807
@fastify/express vulnerable to middleware path doubling caus - CVE-2026-33808
@fastify/express vulnerable to middleware authentication byp - CVE-2026-33806
fastify vulnerable to Body Schema Validation Bypass via Lead - CVE-2026-3635
Fastify request.protocol and request.host spoofable via X-Fo - CVE-2026-3419
Fastify's Missing End Anchor in "subtypeNameReg" Allows Malf
Same weakness: CWE-1287
- CVE-2026-33806
fastify vulnerable to Body Schema Validation Bypass via Lead - CVE-2019-25596
SpotAuditor 5.2.6 Name Field Denial of Service - CVE-2026-2092
Keycloak-services: keycloak: unauthorized access via imprope - CVE-2026-2454
DoS in Calls plugin via malformed msgpack in websocket reque - CVE-2026-25783
Denial of service via malformed User-Agent header in getBrow
V. Comments for CVE-2025-32442
No comments yet