Cyber Resilience

CVE-2022-39288

High

Published: 10 October 2022

Published
10 October 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0469 89.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-39288 is a high-severity Improper Check for Unusual or Exceptional Conditions (CWE-754) vulnerability in Fastify Fastify. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 10.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2022-39288 affects the fastify web framework for Node.js. Affected versions allow a denial-of-service condition when an invalid Content-Type header is processed, causing the application to crash. The issue stems from improper handling of malformed header values (CWE-754) and carries a CVSS 3.1 score of 7.5 reflecting high availability impact with no authentication or user interaction required.

An unauthenticated remote attacker can exploit the flaw by sending a single HTTP request containing a malicious Content-Type header. Successful exploitation terminates the Node.js process, resulting in a denial of service against the targeted fastify application.

The GitHub Security Advisory and accompanying commit fbb07e8d state that the vulnerability is resolved in release 4.8.1. Users who cannot upgrade are advised to implement manual filtering of incoming requests that contain suspicious or malformed Content-Type headers.

EPSS for the CVE reached a peak of 0.0792 on 2025-12-11 before receding to the current value of 0.0469, indicating a modest post-disclosure increase in exploitation interest that has since subsided.

EU & UK References

Vulnerability details

fastify is a fast and low overhead web framework, for Node.js. Affected versions of fastify are subject to a denial of service via malicious use of the Content-Type header. An attacker can send an invalid Content-Type header that can cause…

more

the application to crash. This issue has been addressed in commit `fbb07e8d` and will be included in release version 4.8.1. Users are advised to upgrade. Users unable to upgrade may manually filter out http content with malicious Content-Type headers.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

fastify
fastify
≤ 4.8.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-754

Requires detection and response to audit logging failures as an unusual or exceptional condition.

addresses: CWE-754

Implements detection of unusual or exceptional conditions followed by safe mode entry, reducing the window for exploitation of unchecked conditions.

addresses: CWE-754

Training ensures users perform required checks for unusual or exceptional conditions as part of contingency roles, limiting attacker leverage from skipped validations.

addresses: CWE-754

IR testing directly validates checks for unusual or exceptional conditions that could indicate security incidents.

addresses: CWE-754

Requires ongoing monitoring of organization-defined metrics and analysis, enabling checks for unusual or exceptional conditions.

addresses: CWE-754

Security testing routinely checks for unusual or exceptional inputs/conditions, identifying missing validation steps that flaw remediation then resolves.

addresses: CWE-754

Requires detection of unusual conditions followed by a controlled transition to the defined failure state.

addresses: CWE-754

MTTF determination forces explicit checks for conditions that precede predictable component failure.

References