CVE-2026-25223 Overview
CVE-2026-25223 is a validation bypass vulnerability in Fastify, a fast and low overhead web framework for Node.js. Prior to version 5.7.2, a critical flaw exists where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type.
This vulnerability allows attackers to submit malicious or malformed data to Fastify applications that rely on schema validation for security enforcement, potentially leading to data integrity issues, injection attacks, or other application-specific security impacts.
Critical Impact
Attackers can completely bypass request body validation in Fastify applications, allowing submission of unvalidated and potentially malicious payloads that the application processes as legitimate requests.
Affected Products
- Fastify versions prior to 5.7.2
- Node.js applications using Fastify with Content-Type based body validation
- APIs relying on Fastify's schema validation for input sanitization
Discovery Timeline
- 2026-02-03 - CVE CVE-2026-25223 published to NVD
- 2026-02-04 - Last updated in NVD database
Technical Details for CVE-2026-25223
Vulnerability Analysis
This vulnerability falls under CWE-436 (Interpretation Conflict), where two different components interpret the same input differently. The root issue lies in how Fastify's content-type parser and validation logic handle Content-Type headers with trailing characters.
When a request is received, Fastify's content-type parser extracts the media type to determine how to parse the request body. However, the validation schema lookup uses a different method to match Content-Type headers to validation schemas. By appending a tab character followed by arbitrary text to the Content-Type header (e.g., application/json\tsomething), an attacker can cause the validation lookup to fail while the parser still correctly identifies and processes the content as JSON.
This interpretation conflict allows attackers to send requests that bypass all body validation while still having their payload processed normally by the application.
Root Cause
The vulnerability stems from inconsistent handling of Content-Type headers between two code paths in Fastify. The content-type parser (in lib/content-type-parser.js) correctly extracts the media type by handling whitespace and parameters according to RFC 9110 specifications. However, the validation schema matching logic (in lib/validation.js) performed a direct string comparison or used different parsing logic that did not properly handle tab characters and trailing content.
This mismatch created a scenario where the validation module could not find a matching schema for the manipulated Content-Type, effectively skipping validation, while the parser module still correctly identified the content type for body parsing.
Attack Vector
The attack is network-based and can be executed remotely without authentication. An attacker simply needs to:
- Identify a Fastify endpoint with body validation configured
- Craft a request with a manipulated Content-Type header containing a tab character
- Submit any payload without it being validated against the defined schema
The security patch introduces a dedicated lib/content-type.js module that provides consistent Content-Type parsing according to RFC 9110:
+'use strict'
+
+/**
+ * keyValuePairsReg is used to split the parameters list into associated
+ * key value pairings.
+ *
+ * @see https://httpwg.org/specs/rfc9110.html#parameter
+ * @type {RegExp}
+ */
+const keyValuePairsReg = /([\w!#$%&'*+.^`|~-]+)=([^;]*)/gm
+
+/**
+ * typeNameReg is used to validate that the first part of the media-type
+ * does not use disallowed characters.
+ *
+ * @see https://httpwg.org/specs/rfc9110.html#rule.token.separators
+ * @type {RegExp}
+ */
+const typeNameReg = /^[\w!#$%&'*+.^`|~-]+$/
+
+/**
+ * subtypeNameReg is used to validate that the second part of the media-type
+ * does not use disallowed characters.
+ *
+ * @see https://httpwg.org/specs/rfc9110.html#rule.token.separators
+ * @type {RegExp}
+ */
+const subtypeNameReg = /^[\w!#$%&'*+.^`|~-]+\s*/
Source: Fastify Commit Overview
Detection Methods for CVE-2026-25223
Indicators of Compromise
- HTTP requests containing tab characters (\t or %09) within Content-Type headers
- Unusual Content-Type header values with trailing garbage or unexpected parameters
- Application logs showing validation errors followed by successful processing of the same request
- Requests with Content-Type headers like application/json\t* or similar patterns
Detection Strategies
- Configure WAF rules to detect and block requests with tab characters or unexpected whitespace in Content-Type headers
- Implement application-level logging that captures raw Content-Type header values for forensic analysis
- Deploy runtime application security monitoring to detect validation bypass attempts
- Review access logs for patterns of requests with malformed Content-Type headers targeting validated endpoints
Monitoring Recommendations
- Enable detailed HTTP header logging for all Fastify application endpoints
- Set up alerts for requests where Content-Type headers contain control characters (ASCII 0x00-0x1F)
- Monitor for increased error rates in validation modules that might indicate exploitation attempts
- Implement anomaly detection for unusual Content-Type header patterns in your application traffic
How to Mitigate CVE-2026-25223
Immediate Actions Required
- Upgrade Fastify to version 5.7.2 or later immediately
- Audit application logs for any evidence of exploitation attempts using malformed Content-Type headers
- Review any security-critical functionality that relies on Fastify's body validation to assess potential impact
- Consider implementing additional input validation at the application layer as defense-in-depth
Patch Information
The vulnerability has been patched in Fastify version 5.7.2. The fix introduces a new dedicated Content-Type parsing module (lib/content-type.js) that ensures consistent parsing according to RFC 9110 specifications across both the content-type parser and validation components.
Upgrade using npm:
npm update fastify@5.7.2
For more details, refer to the GitHub Security Advisory GHSA-jx2c-rxcm-jvmq and the HackerOne Vulnerability Report #3464114.
Workarounds
- Implement custom middleware to sanitize and normalize Content-Type headers before they reach Fastify's routing and validation logic
- Add explicit Content-Type header validation in a pre-handler hook that rejects requests with tab characters or unexpected content
- Deploy a reverse proxy or WAF rule to strip or reject malformed Content-Type headers
- For critical endpoints, implement secondary validation using an independent validation library
# Example nginx configuration to block malformed Content-Type headers
# Add to your nginx server block configuration
if ($content_type ~* "[\t]") {
return 400;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
