CVE-2025-32442
Fastify vulnerable to invalid content-type parsing, which could lead to validation bypass
Description
### Impact In applications that specify different validation strategies for different content types, it's possible to bypass the validation by providing a _slightly altered_ content type such as with different casing or altered whitespacing before `;`. Users using the the following pattern are affected: ```js fastify.post('/', { handler(request, reply) { reply.code(200).send(request.body) }, schema: { body: { content: { 'application/json': { schema: { type: 'object', properties: { 'foo': { type: 'string', } }, required: ['foo'] } }, } } } }) ``` User using the following pattern are **not** affected: ```js fastify.post('/', { handler(request, reply) { reply.code(200).send(request.body) }, schema: { body: { type: 'object', properties: { 'foo': { type: 'string', } }, required: ['foo'] } } }) ``` ### Patches This was patched in v5.3.1, but unfortunately it did not cover all problems. This has been fully patched in v5.3.2. Version v4.9.0 was also affected by this issue. This has been fully patched in v4.9.1. ### Workarounds Do not specify multiple content types in the schema. ### References _Are there any links users can visit to find out more?_ https://hackerone.com/reports/3087928
How to fix CVE-2025-32442
To remediate CVE-2025-32442, upgrade the affected package to a fixed version below.
- —upgrade to 5.3.2 or later
Is CVE-2025-32442 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 5.0.0, < 5.3.2