DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-3419: CVE-2026-3419: Content-Type Validation Bypass in Fastify via Regex Anchor Missing

#security #cve #cybersecurity

CVE-2026-3419: Content-Type Validation Bypass in Fastify via Regex Anchor Missing

Vulnerability ID: CVE-2026-3419
CVSS Score: 5.3
Published: 2026-03-05

Fastify, a high-performance web framework for Node.js, contains a validation bypass vulnerability in its Content-Type header parsing logic. Due to an incomplete regular expression in lib/content-type.js, the framework fails to enforce the end-of-string anchor ($) when validating media subtypes. This omission allows attackers to supply malformed Content-Type headers containing illegal trailing characters (e.g., application/json garbage), which Fastify incorrectly accepts as valid. This behavior violates RFC 9110 §8.3.1 and can lead to parser confusion where malicious payloads are routed to incorrect content parsers, potentially bypassing security controls or triggering unexpected application behavior.

TL;DR

Fastify versions prior to 5.8.1 incorrectly validate Content-Type headers due to a missing regex anchor. Attackers can append arbitrary garbage to media types (e.g., application/json<script>) to bypass validation logic while still triggering JSON parsing.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-185
  • CWE Name: Incorrect Regular Expression
  • CVSS v3.1: 5.3 (Medium)
  • Attack Vector: Network
  • Impact: Validation Bypass
  • Status: Patched

Affected Systems

  • Fastify Framework (Node.js)
  • Fastify: < 5.8.1 (Fixed in: 5.8.1)

Code Analysis

Commit: 67f6c9b

Fix: correctly validate content-type header to prevent trailing characters

const subtypeNameReg = /^[\w!#$%&'*+.^`|~-]+\s*$/
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub: The fix commit includes test cases acting as PoC, such as 'application/jsonalert(1)'

Mitigation Strategies

  • Update Fastify to version 5.8.1 or higher immediately.
  • Audit custom content type parsers for similar regex anchoring issues.

Remediation Steps:

  1. Check your package.json for the fastify dependency.
  2. Run npm install fastify@latest or yarn upgrade fastify to pull version 5.8.1.
  3. Verify the installed version using npm list fastify.
  4. If you define custom parsers via fastify.addContentTypeParser, review your regexes to ensure they start with ^ and end with $.

References

Read the full report for CVE-2026-3419 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)