CVE-2026-25223

Name of the Vulnerable Software and Affected Versions Fastify versions prior to 5.7.2

Description Fastify is a web framework for Node.js. A validation bypass exists where request body validation schemas specified by Content-Type can be circumvented. Appending a tab character (t) followed by arbitrary content to the Content-Type header allows attackers to bypass body validation while the server processes the body as the original content type. The affected API endpoint receives requests with a Content-Type header, and the vulnerable parameter is the Content-Type header itself.

Recommendations Update to version 5.7.2 or later.