CVE-2022-39288
Published: 10 October 2022
Summary
CVE-2022-39288 is a high-severity Improper Check for Unusual or Exceptional Conditions (CWE-754) vulnerability in Fastify Fastify. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 10.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2022-39288 affects the fastify web framework for Node.js. Affected versions allow a denial-of-service condition when an invalid Content-Type header is processed, causing the application to crash. The issue stems from improper handling of malformed header values (CWE-754) and carries a CVSS 3.1 score of 7.5 reflecting high availability impact with no authentication or user interaction required.
An unauthenticated remote attacker can exploit the flaw by sending a single HTTP request containing a malicious Content-Type header. Successful exploitation terminates the Node.js process, resulting in a denial of service against the targeted fastify application.
The GitHub Security Advisory and accompanying commit fbb07e8d state that the vulnerability is resolved in release 4.8.1. Users who cannot upgrade are advised to implement manual filtering of incoming requests that contain suspicious or malformed Content-Type headers.
EPSS for the CVE reached a peak of 0.0792 on 2025-12-11 before receding to the current value of 0.0469, indicating a modest post-disclosure increase in exploitation interest that has since subsided.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-7008
Vulnerability details
fastify is a fast and low overhead web framework, for Node.js. Affected versions of fastify are subject to a denial of service via malicious use of the Content-Type header. An attacker can send an invalid Content-Type header that can cause…
more
the application to crash. This issue has been addressed in commit `fbb07e8d` and will be included in release version 4.8.1. Users are advised to upgrade. Users unable to upgrade may manually filter out http content with malicious Content-Type headers.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requires detection and response to audit logging failures as an unusual or exceptional condition.
Implements detection of unusual or exceptional conditions followed by safe mode entry, reducing the window for exploitation of unchecked conditions.
Training ensures users perform required checks for unusual or exceptional conditions as part of contingency roles, limiting attacker leverage from skipped validations.
IR testing directly validates checks for unusual or exceptional conditions that could indicate security incidents.
Requires ongoing monitoring of organization-defined metrics and analysis, enabling checks for unusual or exceptional conditions.
Security testing routinely checks for unusual or exceptional inputs/conditions, identifying missing validation steps that flaw remediation then resolves.
Requires detection of unusual conditions followed by a controlled transition to the defined failure state.
MTTF determination forces explicit checks for conditions that precede predictable component failure.