Home > Vulnerability Database > CVE-2026-25223

Mend.io Vulnerability Database

CVE-2026-25223

Good to know:

Date: February 3, 2026

Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type. This issue has been patched in version 5.7.2.

Severity Score

7.5

Related Resources (9)

Url: https://github.com/fastify/fastify/commit/32d7b6add39ddf082d92579a58bea7018c5ac821

Url: https://hackerone.com/reports/3464114

Url: https://github.com/fastify/fastify

Url: https://fastify.dev/docs/latest/Reference/Validation-and-Serialization

Url: https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/content-type-parser.js#L125

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-25223

Url: https://github.com/fastify/fastify/security/advisories/GHSA-jx2c-rxcm-jvmq

Url: https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/validation.js#L272

Url: https://www.mend.io/vulnerability-database/CVE-2026-25223

Severity Score

7.5

Weakness Type (CWE)

Interpretation Conflict

CWE-436

Top Fix

Upgrade Version

Upgrade to version fastify - 5.7.2;https://github.com/fastify/fastify.git - v5.7.2

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2026-25223

Good to know:

Date: February 3, 2026

Severity Score

Related Resources (9)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?