CVE-2026-3419

EPSS 0.35%
Veröffentlicht 06.03.2026 17:50:58
Zuletzt bearbeitet 18.03.2026 19:11:46
Quelle ce714d77-add3-4f53-aff5-83d477
CVE-Watchlists
Login
Unerledigt
Login

Fastify's Missing End Anchor in "subtypeNameReg" Allows Malformed Content-Types to Pass Validation

Fastify incorrectly accepts malformed `Content-Type` headers containing trailing characters after the subtype token, in violation of RFC 9110 §8.3.1(https://httpwg.org/specs/rfc9110.html#field.content-type). For example, a request sent with Content-Type: application/json garbage passes validation and is processed normally, rather than being rejected with 415 Unsupported Media Type.

When regex-based content-type parsers are in use (a documented Fastify feature), the malformed value is matched against registered parsers using the full string including the trailing garbage. This means a request with an invalid content-type may be routed to and processed by a parser it should never have reached.

Impact:
An attacker can send requests with RFC-invalid Content-Type headers that bypass validity checks, reach content-type parser matching, and be processed by the server. Requests that should be rejected at the validation stage are instead handled as if the content-type were valid.

Workarounds:
Deploy a WAF rule to protect against this

Fix:

The fix is available starting with v5.8.1.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 9

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Fastify ≫ Fastify SwPlatformnode.js Version >= 5.7.2 < 5.8.1

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.35%	0.268

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
ce714d77-add3-4f53-aff5-83d477b104bb	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE-185 Incorrect Regular Expression

The product specifies a regular expression in a way that causes data to be improperly matched or compared.

https://cna.openjsf.org/security-advisories.html

Vendor Advisory

https://github.com/fastify/fastify/security/advisories/GHSA-573f-x89g-hqp9

Vendor Advisory

https://github.com/fastify/fastify/commit/67f6c9b32cb3623d3c9470cc17ed830dd2f083d7

Patch

https://httpwg.org/specs/rfc9110.html#field.content-type

Technical Description

https://github.com/advisories/GHSA-573f-x89g-hqp9

Patch

Vendor Advisory

https://www.cve.org/CVERecord?id=CVE-2026-3419

VDB Entry

https://nvd.nist.gov/vuln/detail/CVE-2026-3419

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-3419

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-3419

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-3419