CVE-2025-32442: Fastify vulnerable to invalid content-type parsing, which could lead to validation bypass

7.5 CVSS

Description

Fastify is a fast and low overhead web framework, for Node.js. In versions 5.0.0 to 5.3.0, applications that specify different validation strategies for different content types have a possibility to bypass validation by providing a _slightly altered_ content type such as with different casing or altered whitespacing before `;`. This issue has been patched in version 5.3.1. A workaround involves not specifying individual content types in the schema.

Classification

CVE ID: CVE-2025-32442

CVSS Base Severity: HIGH

CVSS Base Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Problem Types

CWE-1287: Improper Validation of Specified Type of Input

Affected Products

Vendor: fastify

Product: fastify

References

https://nvd.nist.gov/vuln/detail/CVE-2025-32442
https://github.com/fastify/fastify/security/advisories/GHSA-mg2h-6x62-wpwc
https://github.com/fastify/fastify/commit/436da4c06dfbbb8c24adee3a64de0c51e4f47418
https://hackerone.com/reports/3087928

Timeline

2025-04-18 17:40:15 UTC
CVE

Fastify vulnerable to invalid content-type parsing, which could lead to validation bypass