Summary
Two Fastify high-severity CVEs remain unaddressed in the current fastify ^5.7.3 dependency. Issue #221 closed the body validation bypass (GHSA-247c-9743-5963) but the following were not covered:
- GHSA-573f-x89g-hqp9 — Malformed
Content-Type headers (e.g. application/json; with no charset) pass Fastify's body schema validation and reach route handlers unvalidated.
- GHSA-444r-cwp2-x5xf —
X-Forwarded-Proto / X-Forwarded-Host headers can be spoofed to trick Fastify into trusting untrusted proxies, enabling host-header injection attacks.
Affected File
package.json — "fastify": "^5.7.3"
Severity
High (CVSS 7.5)
Fix
Upgrade fastify to the latest patched v5 release that addresses these two CVEs. Check Fastify security advisories for the minimum safe version. After upgrading, run:
npm audit --audit-level=high
Related
Summary
Two Fastify high-severity CVEs remain unaddressed in the current
fastify ^5.7.3dependency. Issue #221 closed the body validation bypass (GHSA-247c-9743-5963) but the following were not covered:Content-Typeheaders (e.g.application/json;with no charset) pass Fastify's body schema validation and reach route handlers unvalidated.X-Forwarded-Proto/X-Forwarded-Hostheaders can be spoofed to trick Fastify into trusting untrusted proxies, enabling host-header injection attacks.Affected File
package.json—"fastify": "^5.7.3"Severity
High (CVSS 7.5)
Fix
Upgrade
fastifyto the latest patched v5 release that addresses these two CVEs. Check Fastify security advisories for the minimum safe version. After upgrading, run:Related