CVE-2026-33806 PUBLISHED

fastify vulnerable to Body Schema Validation Bypass via Leading Space in Content-Type Header

Assigner: openjs
Reserved: 23.03.2026 Published: 15.04.2026 Updated: 15.04.2026

Impact:

Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped.

This is a regression introduced in fastify >= 5.3.2 by the fix for CVE-2025-32442

Patches:

Upgrade to fastify v5.8.5 or later.

Workarounds:

None. Upgrade to the patched version.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS Score: 7.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	fastify
Product	fastify
Versions	Default: unaffected affected from 5.3.2 to 5.8.5 (excl.) Version 5.8.5 is unaffected

Credits

mcollina remediation developer
climba03003 remediation reviewer
jsumners remediation reviewer
UlisesGascon remediation reviewer
Vyntral reporter

References

Problem Types

CWE-1287: Improper Validation of Specified Type of Input CWE