Plataforma
nodejs
Componente
fastify
Corrigido em
5.8.5
5.8.5
Uma vulnerabilidade foi descoberta no Fastify, onde o uso de schema.body.content para validação de corpo por tipo de conteúdo pode levar ao bypass completo da validação. Isso ocorre quando um espaço é prefixado ao cabeçalho Content-Type, permitindo que o corpo seja analisado corretamente, mas a validação do esquema seja ignorada. Essa regressão foi introduzida a partir da versão 5.3.2. A correção está disponível na versão 5.8.5.
The impact of this vulnerability lies in the circumvention of request body validation. Applications relying on Fastify's schema validation to enforce data integrity and security policies are now vulnerable. An attacker could potentially inject malicious data into requests that would normally be rejected by the validation process. This could lead to various consequences, including unauthorized access, data modification, or even remote code execution, depending on how the application handles the unvalidated data. The bypass is subtle, requiring only a single space character, making it easy to exploit. This vulnerability is similar in concept to other bypasses that exploit parsing quirks in web frameworks.
CVE-2026-33806 was publicly disclosed on 2026-04-15. There is currently no indication of active exploitation in the wild, and no public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The vulnerability stems from a regression introduced in a previous fix (CVE-2025-32442), highlighting the importance of thorough regression testing after security patches.
Applications built using Fastify versions 5.3.2 through 5.8.4 are at risk, particularly those that heavily rely on request body schema validation for security or data integrity. This includes APIs and web services that process user-supplied data and enforce validation rules.
• nodejs / server:
ps aux | grep -i fastify
# Check for versions below 5.8.5
npm list fastify• generic web:
curl -I <your_fastify_endpoint> | grep Content-Type
# Look for Content-Type headers with leading spacesdisclosure
Status do Exploit
EPSS
0.10% (percentil 27%)
CISA SSVC
The primary mitigation for CVE-2026-33806 is to upgrade to Fastify version 5.8.5 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing a temporary workaround by explicitly stripping leading whitespace from the Content-Type header before passing the request to Fastify. This can be achieved in your application code or potentially through a reverse proxy. Additionally, carefully review your request body validation schemas to ensure they are robust and handle unexpected input. After upgrading, confirm the fix by sending a request with a Content-Type header prepended with a space and verifying that the schema validation is correctly enforced.
Actualice a fastify versión 5.8.5 o superior para evitar el bypass de la validación del esquema del cuerpo. Este problema se produce cuando se agrega un espacio inicial al encabezado Content-Type, lo que permite que el cuerpo se analice correctamente pero se omita la validación del esquema.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
É uma vulnerabilidade de bypass de validação no Fastify que permite ignorar a validação do esquema de corpo ao manipular o cabeçalho Content-Type.
Se você estiver usando Fastify nas versões entre 5.3.2 e 5.8.5, você é potencialmente afetado.
Atualize para a versão 5.8.5 ou posterior do Fastify para corrigir esta vulnerabilidade.
Vetor CVSS
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.