{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25223", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-30T14:44:47.327Z", "datePublished": "2026-02-03T21:21:40.268Z", "dateUpdated": "2026-02-04T21:18:16.693Z"}, "containers": {"cna": {"title": "Fastify's Content-Type header tab character allows body validation bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-436", "lang": "en", "description": "CWE-436: Interpretation Conflict", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/fastify/fastify/security/advisories/GHSA-jx2c-rxcm-jvmq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/fastify/fastify/security/advisories/GHSA-jx2c-rxcm-jvmq"}, {"name": "https://github.com/fastify/fastify/commit/32d7b6add39ddf082d92579a58bea7018c5ac821", "tags": ["x_refsource_MISC"], "url": "https://github.com/fastify/fastify/commit/32d7b6add39ddf082d92579a58bea7018c5ac821"}, {"name": "https://hackerone.com/reports/3464114", "tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/3464114"}, {"name": "https://fastify.dev/docs/latest/Reference/Validation-and-Serialization", "tags": ["x_refsource_MISC"], "url": "https://fastify.dev/docs/latest/Reference/Validation-and-Serialization"}, {"name": "https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/content-type-parser.js#L125", "tags": ["x_refsource_MISC"], "url": "https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/content-type-parser.js#L125"}, {"name": "https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/validation.js#L272", "tags": ["x_refsource_MISC"], "url": "https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/validation.js#L272"}], "affected": [{"vendor": "fastify", "product": "fastify", "versions": [{"version": "< 5.7.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-03T21:21:40.268Z"}, "descriptions": [{"lang": "en", "value": "Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\\t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type. This issue has been patched in version 5.7.2."}], "source": {"advisory": "GHSA-jx2c-rxcm-jvmq", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-04T21:18:10.359742Z", "id": "CVE-2026-25223", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T21:18:16.693Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25223", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-04T21:18:10.359742Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T21:18:14.142Z"}}], "cna": {"title": "Fastify's Content-Type header tab character allows body validation bypass", "source": {"advisory": "GHSA-jx2c-rxcm-jvmq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "fastify", "product": "fastify", "versions": [{"status": "affected", "version": "< 5.7.2"}]}], "references": [{"url": "https://github.com/fastify/fastify/security/advisories/GHSA-jx2c-rxcm-jvmq", "name": "https://github.com/fastify/fastify/security/advisories/GHSA-jx2c-rxcm-jvmq", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/fastify/fastify/commit/32d7b6add39ddf082d92579a58bea7018c5ac821", "name": "https://github.com/fastify/fastify/commit/32d7b6add39ddf082d92579a58bea7018c5ac821", "tags": ["x_refsource_MISC"]}, {"url": "https://hackerone.com/reports/3464114", "name": "https://hackerone.com/reports/3464114", "tags": ["x_refsource_MISC"]}, {"url": "https://fastify.dev/docs/latest/Reference/Validation-and-Serialization", "name": "https://fastify.dev/docs/latest/Reference/Validation-and-Serialization", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/content-type-parser.js#L125", "name": "https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/content-type-parser.js#L125", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/validation.js#L272", "name": "https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/validation.js#L272", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\\t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type. This issue has been patched in version 5.7.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-436", "description": "CWE-436: Interpretation Conflict"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-03T21:21:40.268Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25223", "state": "PUBLISHED", "dateUpdated": "2026-02-04T21:18:16.693Z", "dateReserved": "2026-01-30T14:44:47.327Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-03T21:21:40.268Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fastify:fastify:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "51FAFCEB-4FBC-4777-BC6D-91713CA5828A", "versionEndExcluding": "5.7.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\\t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type. This issue has been patched in version 5.7.2."}], "id": "CVE-2026-25223", "lastModified": "2026-02-10T20:05:15.127", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-03T22:16:31.130", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Technical Description"], "url": "https://fastify.dev/docs/latest/Reference/Validation-and-Serialization"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/content-type-parser.js#L125"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/validation.js#L272"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/fastify/fastify/commit/32d7b6add39ddf082d92579a58bea7018c5ac821"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Mitigation"], "url": "https://github.com/fastify/fastify/security/advisories/GHSA-jx2c-rxcm-jvmq"}, {"source": "security-advisories@github.com", "tags": ["Permissions Required"], "url": "https://hackerone.com/reports/3464114"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-436"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "Fastify: Fastify: Validation bypass due to malformed Content-Type header leading to integrity impact", "id": "2436560", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2436560"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "status": "draft"}, "cwe": "CWE-179", "details": ["A flaw was found in Fastify, a web framework for Node.js. A remote attacker can exploit a validation bypass vulnerability by appending a tab character followed by arbitrary content to the Content-Type header. This circumvents the request body validation schemas, allowing the server to process the body as the original content type without proper validation. This could lead to unexpected data processing and potential integrity impact."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-25223", "package_state": [{"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/bootc-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/disk-image-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-dashboard-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-dashboard-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-mod-arch-gen-ai-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-mod-arch-model-registry-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Affected", "package_name": "devspaces/dashboard-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}], "public_date": "2026-02-03T21:21:40Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-25223\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-25223\nhttps://fastify.dev/docs/latest/Reference/Validation-and-Serialization\nhttps://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/content-type-parser.js#L125\nhttps://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/validation.js#L272\nhttps://github.com/fastify/fastify/commit/32d7b6add39ddf082d92579a58bea7018c5ac821\nhttps://github.com/fastify/fastify/security/advisories/GHSA-jx2c-rxcm-jvmq\nhttps://hackerone.com/reports/3464114"], "statement": "This IMPORTANT vulnerability in Fastify, a Node.js web framework, allows remote attackers to bypass request body validation by manipulating the Content-Type header. This can lead to unexpected data processing and integrity issues in applications. Red Hat products such as Red Hat Enterprise Linux AI, Red Hat OpenShift AI, and Red Hat OpenShift Dev Spaces are affected.", "threat_severity": "Important"}

{"analysis": {"en": {"generated_at": "2026-04-18T00:00:45.230751+00:00", "value": {"mitigation_remediation": ["Upgrade Fastify to version 5.7.2 or newer, which eliminates the tab\u2011character flaw in the content\u2011type parser.", "Validate incoming Content\u2011Type headers server side and reject any value containing non\u2011ASCII whitespace such as tabs before processing the body.", "Apply application\u2011level input sanitization to all deserialized bodies and monitor logs for unexpected header anomalies to detect bypass attempts."], "summary": {"action": "Patch", "impact": "Validation Bypass"}, "threat_synthesis": {"affected_systems": "The flaw impacts any Fastify installation older than version 5.7.2. Releases from 5.7.2 onward include a patch that corrects the parser. Users of exact releases prior to 5.7.2 should review their application dependencies to determine the presence of the affected module.", "description_and_impact": "Fastify, a high\u2011performance Node.js web framework, suffers a validation bypass: by inserting a tab character after the MIME type in the Content\u2011Type header, an attacker can cause the framework to skip schema validation while still treating the payload as the declared type. This allows malicious data to reach downstream logic unfiltered, potentially leading to code injection or data corruption.", "risk_and_exploitability": "With a CVSS score of 7.5 the issue is high severity, yet the EPSS score of less than 1% indicates limited exploitation activity. The vulnerability is not catalogued in KEV. Attackers can exploit it by sending an HTTP request whose Content\u2011Type header contains a tab character; this requires no special authentication and is a low\u2011effort attack vector, after which arbitrary request bodies bypass validation."}}}}, "created": "2026-02-04T12:05:26.727842+00:00", "updated": "2026-04-18T00:15:31.768037+00:00", "vendors": ["fastify", "fastify$PRODUCT$fastify"]}