2436560 – (CVE-2026-25223) CVE-2026-25223 Fastify: Fastify: Validation bypass due to malformed Content-Type header leading to integrity impact

Bug 2436560 (CVE-2026-25223) - CVE-2026-25223 Fastify: Fastify: Validation bypass due to malformed Content-Type header leading to integrity impact

Summary: CVE-2026-25223 Fastify: Fastify: Validation bypass due to malformed Content-T...

Keywords:
Status:	NEW
Alias:	CVE-2026-25223
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-02-03 22:01 UTC by OSIDB Bzimport
Modified:	2026-02-04 03:37 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-02-03 22:01:43 UTC

Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type. This issue has been patched in version 5.7.2.

Note You need to log in before you can comment on or make changes to this bug.