pkg:npm/fastify

All known vulnerabilities

• HIGH7.5CVE-2026-33806Fastify has a Body Schema Validation Bypass via Leading Space in Content-Type Header
  >= 5.3.2, < 5.8.5
• HIGH7.5CVE-2026-25223Fastify's Content-Type header tab character allows body validation bypass
  from 0, < 5.7.2
• HIGH7.5CVE-2025-32442Fastify vulnerable to invalid content-type parsing, which could lead to validation bypass
  >= 5.0.0, < 5.3.2
• HIGH7.5fastify vulnerable to denial of service via malicious Content-Type
  >= 4.0.0, < 4.8.1
• HIGH7.5Denial of Service vulnerability with large JSON payloads in fastify
  from 0, < 0.38.0
• MEDIUM6.1fastify: request.protocol and request.host Spoofable via X-Forwarded-Proto/Host from Untrusted Connections
  from 0, < 5.8.3
• MEDIUM5.3Fastify's Missing End Anchor in "subtypeNameReg" Allows Malformed Content-Types to Pass Validation
  >= 5.7.2, < 5.8.1
• MEDIUM4.2Fastify: Incorrect Content-Type parsing can lead to CSRF attack
  >= 4.0.0, < 4.10.2
• LOW3.7Fastify Vulnerable to DoS via Unbounded Memory Allocation in sendWebStream
  from 0, < 5.7.3
• —Denial of service in fastify
  from 0, < 2.15.1