CVE-2025-32442

Fastify is a fast and low overhead web framework, for Node.js. In versions 5.0.0 to 5.3.0 as well as version 4.29.0, applications that specify different validation strategies for different content types have a possibility to bypass validation by providing a slightly altered content type such as...

CVE-2025-32442 Fastify vulnerable to invalid content-type parsing, which could lead to validation bypass

Fastify is a fast and low overhead web framework, for Node.js. In versions 5.0.0 to 5.3.0 as well as version 4.29.0, applications that specify different validation strategies for different content types have a possibility to bypass validation by providing a slightly altered content type such as...

CVE-2025-32442 Fastify vulnerable to invalid content-type parsing, which could lead to validation bypass

Fastify is a fast and low overhead web framework, for Node.js. In versions 5.0.0 to 5.3.0 as well as version 4.29.0, applications that specify different validation strategies for different content types have a possibility to bypass validation by providing a slightly altered content type such as...

CVE-2025-32442

The CVE-2025-32442 issue affects Fastify (Node.js) where applications that specify different validation strategies for multiple content types can bypass validation by supplying a slightly altered Content-Type (e.g., different casing or whitespace before ";"). Affected versions include Fastify 5.0...

CVE-2025-32442 Fastify vulnerable to invalid content-type parsing, which could lead to validation bypass

Fastify is a fast and low overhead web framework, for Node.js. In versions 5.0.0 to 5.3.0 as well as version 4.29.0, applications that specify different validation strategies for different content types have a possibility to bypass validation by providing a slightly altered content type such as...

@andesite-lab/andesite-core (=1.60.2), @bechara/crux (>=6.0.0 <=6.6.2) +139 more potentially affected by CVE-2025-32442 via fastify (>=5.0.0 <=5.3.1)

fastify NPM version =5.0.0, =6.0.0, =0.2.305, =1.0.6, =1.0.11, =1.9.4, =2.0.0, =1.6.0, =1.6.0, =1.6.0, =1.6.0, =1.6.0, =1.6.0, =1.8.3 - @citrineos/ocpi-base =2.0.1 - @citrineos/ocpi-cdrs =2.0.1 and more Source cves: CVE-2025-32442 Source advisory: OSV:GHSA-MG2H-6X62-WPWC...

@chainlink/external-adapter-framework (>=1.7.5 <=1.7.7), @intuned/runtime (=1.3.15) +89 more potentially affected by CVE-2025-32442 via fastify (=4.29.0)

fastify NPM version =4.29.0 is affected by a known vulnerability. The following packages have a transitive dependency on fastify and may be impacted: - @chainlink/external-adapter-framework =1.7.5, =1.3.14-ts-runtime-helpers, =0.0.0-a2a-20250421213654, =3.26.12-beta.2, =0.0.2, =0.3.23, =1.1.26,...

Fastify vulnerable to invalid content-type parsing, which could lead to validation bypass

Impact In applications that specify different validation strategies for different content types, it's possible to bypass the validation by providing a slightly altered content type such as with different casing or altered whitespacing before ;. Users using the the following pattern are affected: ...

GHSA-MG2H-6X62-WPWC Fastify vulnerable to invalid content-type parsing, which could lead to validation bypass

Impact In applications that specify different validation strategies for different content types, it's possible to bypass the validation by providing a slightly altered content type such as with different casing or altered whitespacing before ;. Users using the the following pattern are affected: ...

Fastify 安全漏洞

Fastify is a web framework from Fastify open source. A security vulnerability exists in Fastify versions 5.0.0 through 5.3.0 that stems from a possible bypass of content type validation...

PT-2025-17315

Name of the Vulnerable Software and Affected Versions Fastify versions 4.29.0 through 5.3.1 Fastify version 4.9.0 Description Fastify is a fast, low overhead web framework for Node.js. Applications specifying different validation strategies for different content types may bypass validation by...

CVE-2025-24033

@fastify/multipart is a Fastify plugin for parsing the multipart content-type. Prior to versions 8.3.1 and 9.0.3, the saveRequestFiles function does not delete the uploaded temporary files when user cancels the request. The issue is fixed in versions 8.3.1 and 9.0.3. As a workaround, do not use...

CVE-2022-39386

@fastify/websocket provides WebSocket support for Fastify. Any application using @fastify/websocket could crash if a specific, malformed packet is sent. All versions of fastify-websocket are also impacted. That module is deprecated, so it will not be patched. This has been patched in version 7.1....

CVE-2022-39288

fastify is a fast and low overhead web framework, for Node.js. Affected versions of fastify are subject to a denial of service via malicious use of the Content-Type header. An attacker can send an invalid Content-Type header that can cause the application to crash. This issue has been addressed i...

CVE-2024-31999

@festify/secure-session creates a secure stateless cookie session for Fastify. At the end of the request handling, it will encrypt all data in the session with a secret key and attach the ciphertext as a cookie value with the defined cookie name. After that, the session on the server side is...

CVE-2024-35220

@fastify/session is a session plugin for fastify. Requires the @fastify/cookie plugin. When restoring the cookie from the session store, the expires field is overriden if the maxAge field was set. This means a cookie is never correctly detected as expired and thus expired sessions are not...

Temporary File Retention

@fastify/multipart is vulnerable to Temporary File Retention. The vulnerability is due to the saveRequestFiles function failing to delete temporary uploaded files when a user cancels the request, allows an attacker to repeatedly initiate and cancel file uploads, leading to excessive disk space...

The vulnerability of the `saveRequestFiles` function in the Fastify JavaScript software framework allows a hacker to trigger a service failure.

The vulnerability of the saveRequestFiles function in the Fastify JavaScript software framework is related to the use of incorrect authentication tokens due to unlimited resource distribution. Exploiting this vulnerability could allow a malicious actor to cause service failures by sending special...

CVE-2025-24033

@fastify/multipart is a Fastify plugin for parsing the multipart content-type. Prior to versions 8.3.1 and 9.0.3, the saveRequestFiles function does not delete the uploaded temporary files when user cancels the request. The issue is fixed in versions 8.3.1 and 9.0.3. As a workaround, do not use...

Unlimited consumption of resources in @fastify/multipart

Impact The saveRequestFiles function does not delete the uploaded temporary files when user cancels the request. Patches Fixed in version 8.3.1 and 9.0.3 Workarounds Do not use saveRequestFiles. References This was identified in https://github.com/fastify/fastify-multipart/issues/546 and fixed in...