Validation Bypass in Fastify Web Framework Affecting Node.js Applications
CVE-2025-32442

7.5HIGH

Key Information:

Vendor

Fastify

Status
Fastify
Vendor
CVE Published:
18 April 2025

What is CVE-2025-32442?

The Fastify web framework for Node.js, in versions 5.0.0 through 5.3.0, contains a vulnerability that allows attackers to bypass content type validation by specifying slightly altered content types. This vulnerability arises from a lack of strict validation when different content types are defined, which can include variations in casing or altered whitespacing before a separator. While the issue was addressed in version 5.3.1, subsequent patches in version 5.3.2 were necessary to fully mitigate all associated problems. Users are advised to upgrade to at least version 5.3.2 and consider avoiding the specification of individual content types in the schema as a temporary workaround.

Affected Version(s)

fastify >= 5.0.0, < 5.3.2 < 5.0.0, 5.3.2

fastify = 4.29.0 = 4.29.0

References

https://github.com/fastify/fastify/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/fastify/fastify/commit/436da4c06dfbbb8...
x_refsource_MISC
https://github.com/fastify/fastify/commit/f3d2bcb3963cd57...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

.