プラットフォーム
nodejs
コンポーネント
fastify
修正版
5.8.5
5.8.5
Fastify アプリケーションにおいて、schema.body.content を使用してコンテンツタイプごとにバディを検証する場合、Content-Type ヘッダーの先頭にスペースを付加することで検証が完全にバイパスされる脆弱性が存在します。バディは正しく解析されますが、スキーマ検証はスキップされます。この問題は、CVE-2025-32442 の修正によって fastify >= 5.3.2 で導入されました。Fastify v5.8.5 以降へのアップデートで修正されています。
The impact of this vulnerability lies in the circumvention of request body validation. Applications relying on Fastify's schema validation to enforce data integrity and security policies are now vulnerable. An attacker could potentially inject malicious data into requests that would normally be rejected by the validation process. This could lead to various consequences, including unauthorized access, data modification, or even remote code execution, depending on how the application handles the unvalidated data. The bypass is subtle, requiring only a single space character, making it easy to exploit. This vulnerability is similar in concept to other bypasses that exploit parsing quirks in web frameworks.
CVE-2026-33806 was publicly disclosed on 2026-04-15. There is currently no indication of active exploitation in the wild, and no public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The vulnerability stems from a regression introduced in a previous fix (CVE-2025-32442), highlighting the importance of thorough regression testing after security patches.
Applications built using Fastify versions 5.3.2 through 5.8.4 are at risk, particularly those that heavily rely on request body schema validation for security or data integrity. This includes APIs and web services that process user-supplied data and enforce validation rules.
• nodejs / server:
ps aux | grep -i fastify
# Check for versions below 5.8.5
npm list fastify• generic web:
curl -I <your_fastify_endpoint> | grep Content-Type
# Look for Content-Type headers with leading spacesdisclosure
エクスプロイト状況
EPSS
0.10% (27% パーセンタイル)
CISA SSVC
The primary mitigation for CVE-2026-33806 is to upgrade to Fastify version 5.8.5 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing a temporary workaround by explicitly stripping leading whitespace from the Content-Type header before passing the request to Fastify. This can be achieved in your application code or potentially through a reverse proxy. Additionally, carefully review your request body validation schemas to ensure they are robust and handle unexpected input. After upgrading, confirm the fix by sending a request with a Content-Type header prepended with a space and verifying that the schema validation is correctly enforced.
Actualice a fastify versión 5.8.5 o superior para evitar el bypass de la validación del esquema del cuerpo. Este problema se produce cuando se agrega un espacio inicial al encabezado Content-Type, lo que permite que el cuerpo se analice correctamente pero se omita la validación del esquema.
脆弱性分析と重要アラートをメールでお届けします。
Fastify アプリケーションのバディ検証をバイパスする脆弱性です。Content-Type ヘッダーにスペースを付加することで、スキーマ検証がスキップされます。
Fastify のバージョン 5.3.2 から 5.8.5 を使用している場合は影響を受けます。
Fastify v5.8.5 以降にアップデートしてください。
CVSS ベクトル