CVE-2026-33806
EUVD-2026-2281815.04.2026, 04:17
Impact: Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped. This is a regression introduced in fastify >= 5.3.2 by the fix for CVE-2025-32442 Patches: Upgrade to fastify v5.8.5 or later. Workarounds: None. Upgrade to the patched version.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| fastify | fastify | 5.3.2 ≤ 𝑥 < 5.8.5 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-1287 - Improper Validation of Specified Type of InputThe product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.
- CWE-1289 - Improper Validation of Unsafe Equivalence in InputThe product receives an input value that is used as a resource identifier or other type of reference, but it does not validate or incorrectly validates that the input is equivalent to a potentially-unsafe value.
References