FKIE_CVE-2026-3419

Vulnerability from fkie_nvd - Published: 2026-03-06 18:16 - Updated: 2026-03-18 19:11
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
Fastify incorrectly accepts malformed `Content-Type` headers containing trailing characters after the subtype token, in violation of RFC 9110 §8.3.1(https://httpwg.org/specs/rfc9110.html#field.content-type). For example, a request sent with Content-Type: application/json garbage passes validation and is processed normally, rather than being rejected with 415 Unsupported Media Type. When regex-based content-type parsers are in use (a documented Fastify feature), the malformed value is matched against registered parsers using the full string including the trailing garbage. This means a request with an invalid content-type may be routed to and processed by a parser it should never have reached. Impact: An attacker can send requests with RFC-invalid Content-Type headers that bypass validity checks, reach content-type parser matching, and be processed by the server. Requests that should be rejected at the validation stage are instead handled as if the content-type were valid. Workarounds: Deploy a WAF rule to protect against this Fix: The fix is available starting with v5.8.1.
References
ce714d77-add3-4f53-aff5-83d477b104bbhttps://cna.openjsf.org/security-advisories.htmlVendor Advisory
ce714d77-add3-4f53-aff5-83d477b104bbhttps://github.com/advisories/GHSA-573f-x89g-hqp9Patch, Vendor Advisory
ce714d77-add3-4f53-aff5-83d477b104bbhttps://github.com/fastify/fastify/commit/67f6c9b32cb3623d3c9470cc17ed830dd2f083d7Patch
ce714d77-add3-4f53-aff5-83d477b104bbhttps://github.com/fastify/fastify/security/advisories/GHSA-573f-x89g-hqp9Vendor Advisory
ce714d77-add3-4f53-aff5-83d477b104bbhttps://httpwg.org/specs/rfc9110.html#field.content-typeTechnical Description
ce714d77-add3-4f53-aff5-83d477b104bbhttps://www.cve.org/CVERecord?id=CVE-2026-3419VDB Entry
Impacted products
Vendor Product Version
fastify fastify *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:fastify:fastify:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "9CAD5359-5175-4ED4-934C-F40C1C0C2EE8",
              "versionEndExcluding": "5.8.1",
              "versionStartIncluding": "5.7.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Fastify incorrectly accepts malformed `Content-Type` headers containing trailing characters after the subtype token, in violation of RFC 9110 \u00a78.3.1(https://httpwg.org/specs/rfc9110.html#field.content-type). For example, a request sent with Content-Type: application/json garbage passes validation and is processed normally, rather than being rejected with 415 Unsupported Media Type.\n\nWhen regex-based content-type parsers are in use (a documented Fastify feature), the malformed value is matched against registered parsers using the full string including the trailing garbage. This means a request with an invalid content-type may be routed to and processed by a parser it should never have reached.\n\nImpact:\nAn attacker can send requests with RFC-invalid Content-Type headers that bypass validity checks, reach content-type parser matching, and be processed by the server. Requests that should be rejected at the validation stage are instead handled as if the content-type were valid.\n\nWorkarounds:\nDeploy a WAF rule to protect against this\n\nFix:\n\nThe fix is available starting with v5.8.1."
    },
    {
      "lang": "es",
      "value": "Fastify acepta incorrectamente encabezados `Content-Type` malformados que contienen caracteres adicionales despu\u00e9s del token de subtipo, en violaci\u00f3n de la RFC 9110 \u00a78.3.1(https://httpwg.org/specs/rfc9110.html#field.content-type). Por ejemplo, una solicitud enviada con Content-Type: application/json garbage pasa la validaci\u00f3n y se procesa normalmente, en lugar de ser rechazada con 415 Unsupported Media Type.\n\nCuando se utilizan analizadores de tipo de contenido basados en expresiones regulares (regex) (una caracter\u00edstica documentada de Fastify), el valor malformado se compara con los analizadores registrados utilizando la cadena completa, incluidos los caracteres adicionales. Esto significa que una solicitud con un tipo de contenido no v\u00e1lido puede ser enrutada y procesada por un analizador al que nunca deber\u00eda haber llegado.\n\nImpacto:\nUn atacante puede enviar solicitudes con encabezados Content-Type no v\u00e1lidos seg\u00fan la RFC que eluden las comprobaciones de validez, llegan a la coincidencia del analizador de tipo de contenido y son procesadas por el servidor. Las solicitudes que deber\u00edan ser rechazadas en la etapa de validaci\u00f3n son, en cambio, manejadas como si el tipo de contenido fuera v\u00e1lido.\n\nSoluciones provisionales:\nImplementar una regla de WAF para protegerse contra esto\n\nSoluci\u00f3n:\n\nLa soluci\u00f3n est\u00e1 disponible a partir de la v5.8.1."
    }
  ],
  "id": "CVE-2026-3419",
  "lastModified": "2026-03-18T19:11:46.967",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "ce714d77-add3-4f53-aff5-83d477b104bb",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-06T18:16:22.213",
  "references": [
    {
      "source": "ce714d77-add3-4f53-aff5-83d477b104bb",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://cna.openjsf.org/security-advisories.html"
    },
    {
      "source": "ce714d77-add3-4f53-aff5-83d477b104bb",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/advisories/GHSA-573f-x89g-hqp9"
    },
    {
      "source": "ce714d77-add3-4f53-aff5-83d477b104bb",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/fastify/fastify/commit/67f6c9b32cb3623d3c9470cc17ed830dd2f083d7"
    },
    {
      "source": "ce714d77-add3-4f53-aff5-83d477b104bb",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/fastify/fastify/security/advisories/GHSA-573f-x89g-hqp9"
    },
    {
      "source": "ce714d77-add3-4f53-aff5-83d477b104bb",
      "tags": [
        "Technical Description"
      ],
      "url": "https://httpwg.org/specs/rfc9110.html#field.content-type"
    },
    {
      "source": "ce714d77-add3-4f53-aff5-83d477b104bb",
      "tags": [
        "VDB Entry"
      ],
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-3419"
    }
  ],
  "sourceIdentifier": "ce714d77-add3-4f53-aff5-83d477b104bb",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-185"
        }
      ],
      "source": "ce714d77-add3-4f53-aff5-83d477b104bb",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.