CVE-2026-3419

Name of the Vulnerable Software and Affected Versions Fastify versions prior to 5.8.1

Description Fastify incorrectly validates Content-Type headers, accepting malformed headers with trailing characters after the subtype token, which violates RFC 9110. Specifically, a request with a Content-Type like 'application/json garbage' may be processed instead of being rejected with a 415 Unsupported Media Type error. When using regex-based content-type parsers, the malformed value is matched against registered parsers, potentially routing the request to an unintended parser. This allows an attacker to bypass content validation and have the server process requests with invalid content types.

Recommendations Versions prior to 5.8.1 should be updated to version 5.8.1 or later. As a temporary workaround, deploy a WAF rule to protect against this issue.