2361006 – (CVE-2025-32442) CVE-2025-32442 Fastify: Fastify vulnerable to invalid content-type parsing, which could lead to validation bypass

Bug 2361006 (CVE-2025-32442) - CVE-2025-32442 Fastify: Fastify vulnerable to invalid content-type parsing, which could lead to validation bypass

Summary: CVE-2025-32442 Fastify: Fastify vulnerable to invalid content-type parsing, w...

Keywords:
Status:	NEW
Alias:	CVE-2025-32442
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-04-18 17:01 UTC by OSIDB Bzimport
Modified:	2025-04-22 14:09 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-04-18 17:01:09 UTC

Fastify is a fast and low overhead web framework, for Node.js. In versions 5.0.0 to 5.3.0, applications that specify different validation strategies for different content types have a possibility to bypass validation by providing a _slightly altered_ content type such as with different casing or altered whitespacing before `;`. This issue has been patched in version 5.3.1. A workaround involves not specifying individual content types in the schema.

Note You need to log in before you can comment on or make changes to this bug.