Fastify · Fastify · CVE-2022-39288
**Name of the Vulnerable Software and Affected Versions**
fastify versions 4.0.0 through 4.8.0
**Description**
The issue allows an attacker to send an invalid `Content-Type` header, potentially causing the application to crash and leading to a denial of service attack. It is estimated that a significant number of devices using the fastify framework may be affected.
**Recommendations**
For fastify versions 4.0.0 through 4.8.0, update to version 4.8.1 or later to resolve the issue.
As a temporary workaround, consider adding a hook to reject malicious content types before the body parser enters action, using code such as:
```js
const badNames = Object.getOwnPropertyNames({}. proto )
fastify.addHook('onRequest', async (req, reply) => {
for (const badName of badNames) {
if (req.headers['content-type'].indexOf(badName) > -1) {
reply.code(415)
throw new Error('Content type not supported')
}
}
})
```