平台
nodejs
组件
fastify
修复版本
5.8.5
5.8.5
CVE-2026-33806 is a security vulnerability affecting the Fastify web framework. This issue allows attackers to bypass schema validation when using schema.body.content for per-content-type body validation by prepending a space to the Content-Type header, leading to potential data manipulation. The vulnerability impacts Fastify versions 5.3.2 through 5.8.5 and was introduced as a regression from a previous fix. An upgrade to Fastify version 5.8.5 or later resolves this issue.
The impact of this vulnerability lies in the circumvention of request body validation. Applications relying on Fastify's schema validation to enforce data integrity and security policies are now vulnerable. An attacker could potentially inject malicious data into requests that would normally be rejected by the validation process. This could lead to various consequences, including unauthorized access, data modification, or even remote code execution, depending on how the application handles the unvalidated data. The bypass is subtle, requiring only a single space character, making it easy to exploit. This vulnerability is similar in concept to other bypasses that exploit parsing quirks in web frameworks.
CVE-2026-33806 was publicly disclosed on 2026-04-15. There is currently no indication of active exploitation in the wild, and no public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The vulnerability stems from a regression introduced in a previous fix (CVE-2025-32442), highlighting the importance of thorough regression testing after security patches.
Applications built using Fastify versions 5.3.2 through 5.8.4 are at risk, particularly those that heavily rely on request body schema validation for security or data integrity. This includes APIs and web services that process user-supplied data and enforce validation rules.
• nodejs / server:
ps aux | grep -i fastify
# Check for versions below 5.8.5
npm list fastify• generic web:
curl -I <your_fastify_endpoint> | grep Content-Type
# Look for Content-Type headers with leading spacesdisclosure
漏洞利用状态
EPSS
0.10% (27% 百分位)
CISA SSVC
The primary mitigation for CVE-2026-33806 is to upgrade to Fastify version 5.8.5 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing a temporary workaround by explicitly stripping leading whitespace from the Content-Type header before passing the request to Fastify. This can be achieved in your application code or potentially through a reverse proxy. Additionally, carefully review your request body validation schemas to ensure they are robust and handle unexpected input. After upgrading, confirm the fix by sending a request with a Content-Type header prepended with a space and verifying that the schema validation is correctly enforced.
Actualice a fastify versión 5.8.5 o superior para evitar el bypass de la validación del esquema del cuerpo. Este problema se produce cuando se agrega un espacio inicial al encabezado Content-Type, lo que permite que el cuerpo se analice correctamente pero se omita la validación del esquema.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-33806 是 Fastify 框架中的一个漏洞,允许通过在 Content-Type 头部添加空格来绕过模式验证。
如果您的 Fastify 版本在 5.3.2 到 5.8.5 之间,则可能受到影响。
升级到 Fastify v5.8.5 或更高版本以修复此漏洞。
CVSS 向量