Plattform
nodejs
Komponente
fastify
Behoben in
5.8.5
5.8.5
CVE-2026-33806 describes a validation bypass vulnerability in Fastify versions 5.3.2 through 5.8.4. This flaw allows attackers to circumvent request body validation schemas by simply prepending a space character to the Content-Type header. While the body is still parsed correctly, the schema validation is entirely skipped, potentially leading to unexpected behavior and security risks. A fix is available in version 5.8.5.
The impact of this vulnerability lies in the circumvention of request body validation. Applications relying on Fastify's schema validation to enforce data integrity and security policies are now vulnerable. An attacker could potentially inject malicious data into requests that would normally be rejected by the validation process. This could lead to various consequences, including unauthorized access, data modification, or even remote code execution, depending on how the application handles the unvalidated data. The bypass is subtle, requiring only a single space character, making it easy to exploit. This vulnerability is similar in concept to other bypasses that exploit parsing quirks in web frameworks.
CVE-2026-33806 was publicly disclosed on 2026-04-15. There is currently no indication of active exploitation in the wild, and no public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The vulnerability stems from a regression introduced in a previous fix (CVE-2025-32442), highlighting the importance of thorough regression testing after security patches.
Applications built using Fastify versions 5.3.2 through 5.8.4 are at risk, particularly those that heavily rely on request body schema validation for security or data integrity. This includes APIs and web services that process user-supplied data and enforce validation rules.
• nodejs / server:
ps aux | grep -i fastify
# Check for versions below 5.8.5
npm list fastify• generic web:
curl -I <your_fastify_endpoint> | grep Content-Type
# Look for Content-Type headers with leading spacesdisclosure
Exploit-Status
EPSS
0.10% (27% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-33806 is to upgrade to Fastify version 5.8.5 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing a temporary workaround by explicitly stripping leading whitespace from the Content-Type header before passing the request to Fastify. This can be achieved in your application code or potentially through a reverse proxy. Additionally, carefully review your request body validation schemas to ensure they are robust and handle unexpected input. After upgrading, confirm the fix by sending a request with a Content-Type header prepended with a space and verifying that the schema validation is correctly enforced.
Actualice a fastify versión 5.8.5 o superior para evitar el bypass de la validación del esquema del cuerpo. Este problema se produce cuando se agrega un espacio inicial al encabezado Content-Type, lo que permite que el cuerpo se analice correctamente pero se omita la validación del esquema.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33806 is a vulnerability in Fastify where prepending a space to the Content-Type header bypasses request body schema validation, potentially allowing malicious data to be processed.
You are affected if you are using Fastify versions 5.3.2 through 5.8.4 and rely on request body schema validation for security or data integrity.
Upgrade to Fastify version 5.8.5 or later. As a temporary workaround, strip leading whitespace from the Content-Type header before processing the request.
There is currently no indication of active exploitation in the wild or publicly available proof-of-concept code.
Refer to the Fastify GitHub security advisories: https://github.com/fastify/fastify/security/advisories
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.