Skip to content

Security: Remaining Fastify CVEs — malformed Content-Type bypass (GHSA-573f-x89g-hqp9) and X-Forwarded-Proto host spoofing (GHSA-444r-cwp2-x5xf) #255

Description

@LucasMaupin

Summary

Two Fastify high-severity CVEs remain unaddressed in the current fastify ^5.7.3 dependency. Issue #221 closed the body validation bypass (GHSA-247c-9743-5963) but the following were not covered:

  • GHSA-573f-x89g-hqp9 — Malformed Content-Type headers (e.g. application/json; with no charset) pass Fastify's body schema validation and reach route handlers unvalidated.
  • GHSA-444r-cwp2-x5xfX-Forwarded-Proto / X-Forwarded-Host headers can be spoofed to trick Fastify into trusting untrusted proxies, enabling host-header injection attacks.

Affected File

package.json"fastify": "^5.7.3"

Severity

High (CVSS 7.5)

Fix

Upgrade fastify to the latest patched v5 release that addresses these two CVEs. Check Fastify security advisories for the minimum safe version. After upgrading, run:

npm audit --audit-level=high

Related

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingdependenciesPull requests that update a dependency file

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions