Plateforme
nodejs
Composant
fastify
Corrigé dans
5.8.5
5.8.5
La vulnérabilité CVE-2026-33806 affecte les applications Fastify utilisant schema.body.content pour la validation du corps de la requête. L'ajout d'un espace au header Content-Type permet de contourner complètement la validation, bien que le corps soit toujours correctement analysé. Ce problème est apparu dans Fastify >= 5.3.2, suite à une correction pour CVE-2025-32442. La solution consiste à mettre à jour vers la version 5.8.5 ou ultérieure.
The impact of this vulnerability lies in the circumvention of request body validation. Applications relying on Fastify's schema validation to enforce data integrity and security policies are now vulnerable. An attacker could potentially inject malicious data into requests that would normally be rejected by the validation process. This could lead to various consequences, including unauthorized access, data modification, or even remote code execution, depending on how the application handles the unvalidated data. The bypass is subtle, requiring only a single space character, making it easy to exploit. This vulnerability is similar in concept to other bypasses that exploit parsing quirks in web frameworks.
CVE-2026-33806 was publicly disclosed on 2026-04-15. There is currently no indication of active exploitation in the wild, and no public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The vulnerability stems from a regression introduced in a previous fix (CVE-2025-32442), highlighting the importance of thorough regression testing after security patches.
Applications built using Fastify versions 5.3.2 through 5.8.4 are at risk, particularly those that heavily rely on request body schema validation for security or data integrity. This includes APIs and web services that process user-supplied data and enforce validation rules.
• nodejs / server:
ps aux | grep -i fastify
# Check for versions below 5.8.5
npm list fastify• generic web:
curl -I <your_fastify_endpoint> | grep Content-Type
# Look for Content-Type headers with leading spacesdisclosure
Statut de l'Exploit
EPSS
0.10% (percentile 27%)
CISA SSVC
The primary mitigation for CVE-2026-33806 is to upgrade to Fastify version 5.8.5 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing a temporary workaround by explicitly stripping leading whitespace from the Content-Type header before passing the request to Fastify. This can be achieved in your application code or potentially through a reverse proxy. Additionally, carefully review your request body validation schemas to ensure they are robust and handle unexpected input. After upgrading, confirm the fix by sending a request with a Content-Type header prepended with a space and verifying that the schema validation is correctly enforced.
Actualice a fastify versión 5.8.5 o superior para evitar el bypass de la validación del esquema del cuerpo. Este problema se produce cuando se agrega un espacio inicial al encabezado Content-Type, lo que permite que el cuerpo se analice correctamente pero se omita la validación del esquema.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
C'est une vulnérabilité de contournement de validation dans Fastify, où un espace dans le header Content-Type ignore la validation du corps de la requête.
Oui, si vous utilisez Fastify entre les versions 5.3.2 et 5.8.5, vous êtes potentiellement affecté.
Mettez à jour Fastify vers la version 5.8.5 ou ultérieure.
Vecteur CVSS
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.