VDB
KO
MEDIUM 5.3

GHSA-573f-x89g-hqp9

Fastify's Missing End Anchor in "subtypeNameReg" Allows Malformed Content-Types to Pass Validation

Details

# Description

Fastify incorrectly accepts malformed `Content-Type` headers containing trailing characters after the subtype token, in violation of [RFC 9110 §8.3.1](https://httpwg.org/specs/rfc9110.html#field.content-type). For example, a request sent with `Content-Type: application/json garbage` passes validation and is processed normally, rather than being rejected with `415 Unsupported Media Type`.

When regex-based content-type parsers are in use (a documented Fastify feature), the malformed value is matched against registered parsers using the full string including the trailing garbage. This means a request with an invalid content-type may be routed to and processed by a parser it should never have reached.

## Impact

An attacker can send requests with RFC-invalid `Content-Type` headers that bypass validity checks, reach content-type parser matching, and be processed by the server. Requests that should be rejected at the validation stage are instead handled as if the content-type were valid.

## Workarounds

Deploy a WAF rule to protect against this

## Fix

The fix is available starting with v5.8.1.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / fastify
Introduced in: 5.7.2 Fixed in: 5.8.1
Fix npm install fastify@5.8.1

References