CVE-2026-3419

描述

# Description Fastify incorrectly accepts malformed `Content-Type` headers containing trailing characters after the subtype token, in violation of [RFC 9110 §8.3.1](https://httpwg.org/specs/rfc9110.html#field.content-type). For example, a request sent with `Content-Type: application/json garbage` passes validation and is processed normally, rather than being rejected with `415 Unsupported Media Type`. When regex-based content-type parsers are in use (a documented Fastify feature), the malformed value is matched against registered parsers using the full string including the trailing garbage. This means a request with an invalid content-type may be routed to and processed by a parser it should never have reached. ## Impact An attacker can send requests with RFC-invalid `Content-Type` headers that bypass validity checks, reach content-type parser matching, and be processed by the server. Requests that should be rejected at the validation stage are instead handled as if the content-type were valid. ## Workarounds Deploy a WAF rule to protect against this ## Fix The fix is available starting with v5.8.1.

受影響套件(1)

• npm/fastify>= 5.7.2, < 5.8.1

CVSS 分數

參考連結(8)

• ADVISORYhttps://github.com/advisories/GHSA-573f-x89g-hqp9
• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-3419
• PATCHhttps://github.com/fastify/fastify
• WEBhttps://cna.openjsf.org/security-advisories.html
• WEBhttps://github.com/fastify/fastify/commit/67f6c9b32cb3623d3c9470cc17ed830dd2f083d7
• WEBhttps://github.com/fastify/fastify/security/advisories/GHSA-573f-x89g-hqp9
• WEBhttps://httpwg.org/specs/rfc9110.html#field.content-type
• WEBhttps://www.cve.org/CVERecord?id=CVE-2026-3419