CVE-2025-32442 Overview
CVE-2025-32442 is a validation bypass vulnerability in Fastify, a fast and low overhead web framework for Node.js. Applications that specify different validation strategies for different content types are susceptible to bypassing input validation through manipulation of the Content-Type header. An attacker can exploit this by providing a slightly altered content type, such as with different casing or altered whitespace before the ; delimiter.
Critical Impact
Attackers can bypass input validation controls by manipulating Content-Type headers, potentially allowing malicious payloads to reach application logic without proper sanitization.
Affected Products
- Fastify versions 5.0.0 through 5.3.0
- Fastify version 4.29.0
- Applications using content-type-specific validation schemas
Discovery Timeline
- 2025-04-18 - CVE CVE-2025-32442 published to NVD
- 2025-08-22 - Last updated in NVD database
Technical Details for CVE-2025-32442
Vulnerability Analysis
This vulnerability stems from improper input validation in the Content-Type header parsing mechanism within Fastify's validation module. When applications define different validation schemas for different content types (such as application/json versus application/xml), Fastify attempts to match incoming requests to the appropriate validator based on the Content-Type header value.
The flaw exists in how the framework extracts the essence (media type) from the Content-Type header. The original implementation used a simple string split on the semicolon character to isolate the media type before any parameters. However, this approach failed to account for case sensitivity and whitespace variations that are technically valid according to HTTP specifications but could be used to evade schema matching.
An attacker could craft requests with Content-Type values like Application/JSON (different casing) or application/json ;charset=utf-8 (whitespace before semicolon) to bypass the validation schema associated with application/json. This allows untrusted input to flow into the application without the expected validation, potentially leading to injection attacks or data integrity issues.
Root Cause
The root cause is classified as CWE-1287 (Improper Validation of Specified Type of Input). The vulnerability exists in the getEssenceMediaType function within lib/validation.js. The initial implementation only split on the semicolon delimiter without normalizing case or handling whitespace before the delimiter.
The initial patch in v5.3.1 addressed some issues by adding .trim().toLowerCase() to normalize the extracted media type. However, it was discovered that spaces before the semicolon could also be used as a bypass vector, leading to an incomplete fix. The final patch modified the split regex from /;/ to /[ ;]/ to treat both spaces and semicolons as delimiters.
Attack Vector
The attack exploits the network-accessible nature of web applications. An attacker sends HTTP requests with manipulated Content-Type headers to bypass validation:
- Identify an endpoint with content-type-specific validation
- Craft a request with an altered Content-Type header (e.g., different case or added whitespace)
- Submit malicious payload that would normally be rejected by the validator
- The application processes the unvalidated input
Initial patch (incomplete) - lib/validation.js:
validatorFunction = context[bodySchema]
} else if (context[bodySchema]) {
// TODO: add request.contentType and reuse it here
- const contentType = request.headers['content-type']?.split(';', 1)[0]
+ const contentType = getEssenceMediaType(request.headers['content-type'])
const contentSchema = context[bodySchema][contentType]
if (contentSchema) {
validatorFunction = contentSchema
Source: GitHub Commit 436da4c
Complete fix - lib/validation.js:
*/
function getEssenceMediaType (header) {
if (!header) return ''
- return header.split(';', 1)[0].trim().toLowerCase()
+ return header.split(/[ ;]/, 1)[0].trim().toLowerCase()
}
module.exports = {
Source: GitHub Commit f3d2bcb
Detection Methods for CVE-2025-32442
Indicators of Compromise
- HTTP requests with unusual Content-Type header casing (e.g., Application/JSON, APPLICATION/json)
- Content-Type headers containing whitespace before the semicolon delimiter (e.g., application/json ;charset=utf-8)
- Validation errors or bypasses logged in application logs following unusual Content-Type patterns
- Unexpected data processing for endpoints with strict content-type validation requirements
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and flag Content-Type headers with anomalous casing or whitespace patterns
- Monitor application logs for validation bypass indicators, particularly on endpoints using content-type-specific schemas
- Perform regular dependency audits to identify vulnerable Fastify versions in your environment using npm audit or similar tools
- Configure API gateway logging to capture and analyze Content-Type header variations
Monitoring Recommendations
- Enable verbose logging for Fastify request processing to capture Content-Type header values
- Set up alerts for validation failures that may indicate exploitation attempts
- Monitor for patterns of requests attempting multiple Content-Type variations against the same endpoint
- Review server access logs for systematic probing of Content-Type handling
How to Mitigate CVE-2025-32442
Immediate Actions Required
- Upgrade Fastify to version 5.3.2 or later for version 5.x installations
- Upgrade Fastify to version 4.29.1 or later for version 4.x installations
- Audit applications to identify endpoints using content-type-specific validation schemas
- Implement additional input validation at the application layer as defense-in-depth
Patch Information
Fastify has released patched versions addressing this vulnerability:
- Version 5.3.2 - Complete fix for 5.x branch
- Version 4.29.1 - Complete fix for 4.x branch
Note that version 5.3.1 contained an incomplete fix and should not be considered fully patched. Users should upgrade directly to 5.3.2 or later.
For detailed patch information, see the GitHub Security Advisory and the related HackerOne Report #3087928.
Workarounds
- Avoid specifying individual content types in the validation schema; use a single unified validation approach
- Implement custom middleware to normalize Content-Type headers before they reach Fastify's validation layer
- Add application-level validation that explicitly normalizes and validates Content-Type headers
# Upgrade Fastify to patched version
npm update fastify
# Verify installed version
npm list fastify
# For specific version installation
npm install fastify@5.3.2
# or for 4.x branch
npm install fastify@4.29.1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
