{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3419", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-03-01T18:56:49.613Z", "datePublished": "2026-03-06T17:50:58.714Z", "dateUpdated": "2026-03-09T14:55:21.011Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-03-06T17:54:33.542Z"}, "descriptions": [{"lang": "en", "value": "Fastify incorrectly accepts malformed `Content-Type` headers containing trailing characters after the subtype token, in violation of RFC 9110 \u00a78.3.1(https://httpwg.org/specs/rfc9110.html#field.content-type). For example, a request sent with Content-Type: application/json garbage passes validation and is processed normally, rather than being rejected with 415 Unsupported Media Type.\n\nWhen regex-based content-type parsers are in use (a documented Fastify feature), the malformed value is matched against registered parsers using the full string including the trailing garbage. This means a request with an invalid content-type may be routed to and processed by a parser it should never have reached.\n\nImpact:\nAn attacker can send requests with RFC-invalid Content-Type headers that bypass validity checks, reach content-type parser matching, and be processed by the server. Requests that should be rejected at the validation stage are instead handled as if the content-type were valid.\n\nWorkarounds:\nDeploy a WAF rule to protect against this\n\nFix:\n\nThe fix is available starting with v5.8.1.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Fastify incorrectly accepts malformed `Content-Type` headers containing trailing characters after the subtype token, in violation of RFC 9110 \u00a78.3.1(https://httpwg.org/specs/rfc9110.html#field.content-type). For example, a request sent with Content-Type: application/json garbage passes validation and is processed normally, rather than being rejected with 415 Unsupported Media Type.\n\nWhen regex-based content-type parsers are in use (a documented Fastify feature), the malformed value is matched against registered parsers using the full string including the trailing garbage. This means a request with an invalid content-type may be routed to and processed by a parser it should never have reached.\n\nImpact:\nAn attacker can send requests with RFC-invalid Content-Type headers that bypass validity checks, reach content-type parser matching, and be processed by the server. Requests that should be rejected at the validation stage are instead handled as if the content-type were valid.\n\nWorkarounds:\nDeploy a WAF rule to protect against this\n\nFix:\n\nThe fix is available starting with v5.8.1."}]}], "affected": [{"vendor": "fastify", "product": "fastify", "defaultStatus": "unaffected", "versions": [{"versionType": "semver", "status": "affected", "version": "5.7.2", "lessThan": "5.8.1"}, {"versionType": "semver", "status": "unaffected", "version": "5.8.1"}], "packageURL": "pkg:npm/fastify"}], "references": [{"url": "https://github.com/fastify/fastify/security/advisories/GHSA-573f-x89g-hqp9"}, {"url": "https://github.com/fastify/fastify/commit/67f6c9b32cb3623d3c9470cc17ed830dd2f083d7"}, {"url": "https://httpwg.org/specs/rfc9110.html#field.content-type"}, {"url": "https://github.com/advisories/GHSA-573f-x89g-hqp9"}, {"url": "https://cna.openjsf.org/security-advisories.html"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2026-3419"}], "credits": [{"lang": "en", "type": "reporter", "value": "Saad FELLAHI"}, {"lang": "en", "type": "remediation developer", "value": "James Sumners"}, {"lang": "en", "type": "coordinator", "value": "Matteo Collina"}, {"lang": "en", "type": "remediation reviewer", "value": "Ulises Gasc\u00f3n"}], "title": "Fastify's Missing End Anchor in \"subtypeNameReg\" Allows Malformed Content-Types to Pass Validation", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-185", "lang": "en", "description": "CWE-185: Incorrect Regular Expression", "type": "CWE"}]}], "x_generator": {"engine": "cve-kit 1.0.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T14:55:13.971640Z", "id": "CVE-2026-3419", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T14:55:21.011Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3419", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T14:55:13.971640Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T14:55:17.583Z"}}], "cna": {"title": "Fastify's Missing End Anchor in \"subtypeNameReg\" Allows Malformed Content-Types to Pass Validation", "credits": [{"lang": "en", "type": "reporter", "value": "Saad FELLAHI"}, {"lang": "en", "type": "remediation developer", "value": "James Sumners"}, {"lang": "en", "type": "coordinator", "value": "Matteo Collina"}, {"lang": "en", "type": "remediation reviewer", "value": "Ulises Gasc\u00f3n"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "fastify", "product": "fastify", "versions": [{"status": "affected", "version": "5.7.2", "lessThan": "5.8.1", "versionType": "semver"}, {"status": "unaffected", "version": "5.8.1", "versionType": "semver"}], "packageURL": "pkg:npm/fastify", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/fastify/fastify/security/advisories/GHSA-573f-x89g-hqp9"}, {"url": "https://github.com/fastify/fastify/commit/67f6c9b32cb3623d3c9470cc17ed830dd2f083d7"}, {"url": "https://httpwg.org/specs/rfc9110.html#field.content-type"}, {"url": "https://github.com/advisories/GHSA-573f-x89g-hqp9"}, {"url": "https://cna.openjsf.org/security-advisories.html"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2026-3419"}], "x_generator": {"engine": "cve-kit 1.0.0"}, "descriptions": [{"lang": "en", "value": "Fastify incorrectly accepts malformed `Content-Type` headers containing trailing characters after the subtype token, in violation of RFC 9110 \u00a78.3.1(https://httpwg.org/specs/rfc9110.html#field.content-type). For example, a request sent with Content-Type: application/json garbage passes validation and is processed normally, rather than being rejected with 415 Unsupported Media Type.\n\nWhen regex-based content-type parsers are in use (a documented Fastify feature), the malformed value is matched against registered parsers using the full string including the trailing garbage. This means a request with an invalid content-type may be routed to and processed by a parser it should never have reached.\n\nImpact:\nAn attacker can send requests with RFC-invalid Content-Type headers that bypass validity checks, reach content-type parser matching, and be processed by the server. Requests that should be rejected at the validation stage are instead handled as if the content-type were valid.\n\nWorkarounds:\nDeploy a WAF rule to protect against this\n\nFix:\n\nThe fix is available starting with v5.8.1.", "supportingMedia": [{"type": "text/html", "value": "Fastify incorrectly accepts malformed `Content-Type` headers containing trailing characters after the subtype token, in violation of RFC 9110 \u00a78.3.1(https://httpwg.org/specs/rfc9110.html#field.content-type). For example, a request sent with Content-Type: application/json garbage passes validation and is processed normally, rather than being rejected with 415 Unsupported Media Type.\n\nWhen regex-based content-type parsers are in use (a documented Fastify feature), the malformed value is matched against registered parsers using the full string including the trailing garbage. This means a request with an invalid content-type may be routed to and processed by a parser it should never have reached.\n\nImpact:\nAn attacker can send requests with RFC-invalid Content-Type headers that bypass validity checks, reach content-type parser matching, and be processed by the server. Requests that should be rejected at the validation stage are instead handled as if the content-type were valid.\n\nWorkarounds:\nDeploy a WAF rule to protect against this\n\nFix:\n\nThe fix is available starting with v5.8.1.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-185", "description": "CWE-185: Incorrect Regular Expression"}]}], "providerMetadata": {"orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-03-06T17:54:33.542Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3419", "state": "PUBLISHED", "dateUpdated": "2026-03-09T14:55:21.011Z", "dateReserved": "2026-03-01T18:56:49.613Z", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "datePublished": "2026-03-06T17:50:58.714Z", "assignerShortName": "openjs"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fastify:fastify:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "9CAD5359-5175-4ED4-934C-F40C1C0C2EE8", "versionEndExcluding": "5.8.1", "versionStartIncluding": "5.7.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Fastify incorrectly accepts malformed `Content-Type` headers containing trailing characters after the subtype token, in violation of RFC 9110 \u00a78.3.1(https://httpwg.org/specs/rfc9110.html#field.content-type). For example, a request sent with Content-Type: application/json garbage passes validation and is processed normally, rather than being rejected with 415 Unsupported Media Type.\n\nWhen regex-based content-type parsers are in use (a documented Fastify feature), the malformed value is matched against registered parsers using the full string including the trailing garbage. This means a request with an invalid content-type may be routed to and processed by a parser it should never have reached.\n\nImpact:\nAn attacker can send requests with RFC-invalid Content-Type headers that bypass validity checks, reach content-type parser matching, and be processed by the server. Requests that should be rejected at the validation stage are instead handled as if the content-type were valid.\n\nWorkarounds:\nDeploy a WAF rule to protect against this\n\nFix:\n\nThe fix is available starting with v5.8.1."}, {"lang": "es", "value": "Fastify acepta incorrectamente encabezados `Content-Type` malformados que contienen caracteres adicionales despu\u00e9s del token de subtipo, en violaci\u00f3n de la RFC 9110 \u00a78.3.1(https://httpwg.org/specs/rfc9110.html#field.content-type). Por ejemplo, una solicitud enviada con Content-Type: application/json garbage pasa la validaci\u00f3n y se procesa normalmente, en lugar de ser rechazada con 415 Unsupported Media Type.\n\nCuando se utilizan analizadores de tipo de contenido basados en expresiones regulares (regex) (una caracter\u00edstica documentada de Fastify), el valor malformado se compara con los analizadores registrados utilizando la cadena completa, incluidos los caracteres adicionales. Esto significa que una solicitud con un tipo de contenido no v\u00e1lido puede ser enrutada y procesada por un analizador al que nunca deber\u00eda haber llegado.\n\nImpacto:\nUn atacante puede enviar solicitudes con encabezados Content-Type no v\u00e1lidos seg\u00fan la RFC que eluden las comprobaciones de validez, llegan a la coincidencia del analizador de tipo de contenido y son procesadas por el servidor. Las solicitudes que deber\u00edan ser rechazadas en la etapa de validaci\u00f3n son, en cambio, manejadas como si el tipo de contenido fuera v\u00e1lido.\n\nSoluciones provisionales:\nImplementar una regla de WAF para protegerse contra esto\n\nSoluci\u00f3n:\n\nLa soluci\u00f3n est\u00e1 disponible a partir de la v5.8.1."}], "id": "CVE-2026-3419", "lastModified": "2026-03-18T19:11:46.967", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "type": "Secondary"}]}, "published": "2026-03-06T18:16:22.213", "references": [{"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "tags": ["Vendor Advisory"], "url": "https://cna.openjsf.org/security-advisories.html"}, {"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/advisories/GHSA-573f-x89g-hqp9"}, {"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "tags": ["Patch"], "url": "https://github.com/fastify/fastify/commit/67f6c9b32cb3623d3c9470cc17ed830dd2f083d7"}, {"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "tags": ["Vendor Advisory"], "url": "https://github.com/fastify/fastify/security/advisories/GHSA-573f-x89g-hqp9"}, {"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "tags": ["Technical Description"], "url": "https://httpwg.org/specs/rfc9110.html#field.content-type"}, {"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "tags": ["VDB Entry"], "url": "https://www.cve.org/CVERecord?id=CVE-2026-3419"}], "sourceIdentifier": "ce714d77-add3-4f53-aff5-83d477b104bb", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-185"}], "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "type": "Secondary"}]}

{"bugzilla": {"description": "fastify: Fastify: Bypass of Content-Type validation via malformed Content-Type headers", "id": "2445295", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445295"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "status": "draft"}, "cwe": "CWE-625", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-3419", "package_state": [{"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/disk-image-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-dashboard-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-dashboard-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-mod-arch-gen-ai-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-mod-arch-model-registry-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Fix deferred", "package_name": "devspaces/dashboard-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}], "public_date": "2026-03-06T17:50:58Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-3419\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-3419\nhttps://cna.openjsf.org/security-advisories.html\nhttps://github.com/advisories/GHSA-573f-x89g-hqp9\nhttps://github.com/fastify/fastify/commit/67f6c9b32cb3623d3c9470cc17ed830dd2f083d7\nhttps://github.com/fastify/fastify/security/advisories/GHSA-573f-x89g-hqp9\nhttps://httpwg.org/specs/rfc9110.html#field.content-type"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.7.2,5.8.1)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "5.8.1"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "fastify", "source": "cna", "vendor": "fastify"}, "product": "fastify", "vendor": "fastify"}], "analysis": {"en": {"generated_at": "2026-04-16T11:16:24.531589+00:00", "value": {"mitigation_remediation": ["Upgrade Fastify to version v5.8.1 or later to incorporate the patched Content-Type validation.", "If regex-based content-type parsers are configured, review or disable them so that malformed headers are not processed by untrusted parsers.", "Deploy a WAF rule or equivalent traffic filter to block Content-Type headers that contain trailing characters after the subtype token.", "Monitor application logs for unexpected Content-Type parsing or malformed header traffic and apply additional filtering rules as needed."], "summary": {"action": "Apply Patch", "impact": "Bypass Content-Type Validation"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Fastify framework distributed under the npm package fastify. All released versions prior to 5.8.1 are susceptible, as the patch was introduced in v5.8.1. No specific operating systems or Node.js version constraints are listed, but the bug exists within the Fastify codebase regardless of deployment environment.", "description_and_impact": "Fastify implements a regex-based validator for the Content-Type header that is intended to enforce RFC 9110 \u00a78.3.1. In this CVE, the validator incorrectly accepts headers that contain trailing characters after the subtype token, such as Content-Type: application/json garbage, because the end anchor in the regular expression is missing. As a result, requests whose media types are RFC-invalid are treated as valid by Fastify\u2019s parser and are routed to the associated content-type parser. This flaw is categorized as CWE\u2011185 and CWE\u2011625, and allows an attacker to bypass the server\u2019s media\u2011type validation and potentially cause malicious payloads to be processed under the wrong parser.", "risk_and_exploitability": "With a CVSS v3 base score of 5.3, the flaw is considered moderate severity. The EPSS score is under 1%, indicating a low probability that attackers are actively exploiting it at present. The vulnerability is not listed in the CISA KEV catalog. An attacker can trigger the issue by sending an HTTP request with a Content-Type header that includes trailing characters beyond the acceptable subtype token; the server will accept the header, route the request to the parser, and process the payload as if it were compliant. Because the flaw only allows bypass of validation without direct code execution, the risk is limited to potential downstream effects such as injection of malformed data, but it remains exploitable in environments that rely on strict Content-Type validation for security."}}}}, "created": "2026-03-09T10:07:12.218238+00:00", "updated": "2026-04-16T11:30:15.893625+00:00", "vendors": ["fastify", "fastify$PRODUCT$fastify"]}