CVE-2026-3419— Fastify's Missing End Anchor in "subtypeNameReg" Allows Malformed Content-Types to Pass Validation
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-3419
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Fastify's Missing End Anchor in "subtypeNameReg" Allows Malformed Content-Types to Pass Validation
Source: NVD (National Vulnerability Database)
Vulnerability Description
Fastify incorrectly accepts malformed `Content-Type` headers containing trailing characters after the subtype token, in violation of RFC 9110 §8.3.1(https://httpwg.org/specs/rfc9110.html#field.content-type). For example, a request sent with Content-Type: application/json garbage passes validation and is processed normally, rather than being rejected with 415 Unsupported Media Type. When regex-based content-type parsers are in use (a documented Fastify feature), the malformed value is matched against registered parsers using the full string including the trailing garbage. This means a request with an invalid content-type may be routed to and processed by a parser it should never have reached. Impact: An attacker can send requests with RFC-invalid Content-Type headers that bypass validity checks, reach content-type parser matching, and be processed by the server. Requests that should be rejected at the validation stage are instead handled as if the content-type were valid. Workarounds: Deploy a WAF rule to protect against this Fix: The fix is available starting with v5.8.1.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
不正确的正则表达式
Source: NVD (National Vulnerability Database)
Vulnerability Title
Fastify 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Fastify是Fastify开源的一个 Web 框架。 Fastify存在安全漏洞,该漏洞源于错误接受格式错误的Content-Type标头,可能导致攻击者发送绕过有效性检查的请求并被服务器处理。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-3419
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-3419
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same product: fastify
- CVE-2026-33806
fastify vulnerable to Body Schema Validation Bypass via Lead - CVE-2026-3635
Fastify request.protocol and request.host spoofable via X-Fo - CVE-2026-25223
Fastify's Content-Type header tab character allows body vali - CVE-2026-25224
Fastify Vulnerable to DoS via Unbounded Memory Allocation in - CVE-2025-32442
Fastify vulnerable to invalid content-type parsing, which co
Same vendor: fastify
- CVE-2026-33807
@fastify/express vulnerable to middleware path doubling caus - CVE-2026-33808
@fastify/express vulnerable to middleware authentication byp - CVE-2026-33806
fastify vulnerable to Body Schema Validation Bypass via Lead - CVE-2026-3635
Fastify request.protocol and request.host spoofable via X-Fo - CVE-2026-25223
Fastify's Content-Type header tab character allows body vali
Same weakness: CWE-185
- CVE-2026-4296
Incorrect Regular Expression vulnerability in GitHub Enterpr - CVE-2026-25542
Tekton Pipelines: VerificationPolicy regex pattern bypass vi - CVE-2026-39350
Istio AuthorizationPolicy Incorrect Regex Matching of Dots i - CVE-2026-33418
@dicebear/converter ensureSize() Vulnerable to SVG Dimension - CVE-2026-27895
LAM has incorrect regular expression in PDF export component
V. Comments for CVE-2026-3419
No comments yet