James Sumners

**Name of the Vulnerable Software and Affected Versions** Fastify versions prior to 5.8.1 **Description** Fastify incorrectly validates `Content-Type` headers, accepting malformed headers with trailing characters after the subtype token, which violates RFC 9110. Specifically, a request with a `Content-Type` like 'application/json garbage' may be processed instead of being rejected with a 415 Unsupported Media Type error. When using regex-based content-type parsers, the malformed value is matched against registered parsers, potentially routing the request to an unintended parser. This allows an attacker to bypass content validation and have the server process requests with invalid content types. **Recommendations** Versions prior to 5.8.1 should be updated to version 5.8.1 or later. As a temporary workaround, deploy a WAF rule to protect against this issue.