CVE-2025-32442: Fastify vulnerable to invalid content-type parsing, which could lead to validation bypass
(updated )
In applications that specify different validation strategies for different content types, it’s possible to bypass the validation by providing a slightly altered content type such as with different casing or altered whitespacing before ;.
Users using the the following pattern are affected:
fastify.post('/', {
handler(request, reply) {
reply.code(200).send(request.body)
},
schema: {
body: {
content: {
'application/json': {
schema: {
type: 'object',
properties: {
'foo': {
type: 'string',
}
},
required: ['foo']
}
},
}
}
}
})
User using the following pattern are not affected:
fastify.post('/', {
handler(request, reply) {
reply.code(200).send(request.body)
},
schema: {
body: {
type: 'object',
properties: {
'foo': {
type: 'string',
}
},
required: ['foo']
}
}
})
References
- github.com/advisories/GHSA-mg2h-6x62-wpwc
- github.com/fastify/fastify
- github.com/fastify/fastify/commit/436da4c06dfbbb8c24adee3a64de0c51e4f47418
- github.com/fastify/fastify/commit/f3d2bcb3963cd570a582e5d39aab01a9ae692fe4
- github.com/fastify/fastify/security/advisories/GHSA-mg2h-6x62-wpwc
- hackerone.com/reports/3087928
- nvd.nist.gov/vuln/detail/CVE-2025-32442
Code Behaviors & Features
Detect and mitigate CVE-2025-32442 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →