Cyber Posture

CVE-2026-25223

High

Published: 03 February 2026

Published
03 February 2026
Modified
10 February 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0002 5.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25223 is a high-severity Interpretation Conflict (CWE-436) vulnerability in Fastify Fastify. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190).
Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Direct remote unauthenticated bypass of server-side request body validation in a public-facing Node.js web framework (Fastify), enabling malformed payload submission to a web application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\t)…

more

followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type. This issue has been patched in version 5.7.2.

Deeper analysisAI

CVE-2026-25223 is a validation bypass vulnerability in Fastify, a fast and low-overhead web framework for Node.js, affecting versions prior to 5.7.2. The flaw allows attackers to completely circumvent request body validation schemas that are specified based on the Content-Type header. This is achieved by appending a tab character (\t) followed by arbitrary content to the Content-Type header, enabling the server to process the request body as the original content type without enforcing the associated validation schema. The issue is classified under CWE-436 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

Any unauthenticated remote attacker who can send HTTP requests to an affected Fastify server can exploit this vulnerability with low complexity and no user interaction required. By crafting a malicious Content-Type header, the attacker bypasses body validation, allowing the submission of payloads that violate schema rules but are still parsed and processed according to the intended content type. This could lead to integrity impacts, such as injecting malformed data, executing unintended logic, or enabling further attacks depending on the application's validation usage.

The vulnerability has been patched in Fastify version 5.7.2. Mitigation involves upgrading to this version or later. Details on the fix are documented in the Fastify GitHub security advisory (GHSA-jx2c-rxcm-jvmq), the patching commit (32d7b6add39ddf082d92579a58bea7018c5ac821), and related code changes in content-type-parser.js and validation.js.

Details

CWE(s)
CWE-436

Affected Products

fastify
fastify
≤ 5.7.2

CVEs Like This One

CVE-2026-33806Same product: Fastify Fastify
CVE-2026-33807Shared CWE-436
CVE-2026-33804Shared CWE-436
CVE-2026-6270Shared CWE-436
CVE-2026-41248Shared CWE-436
CVE-2026-6322Shared CWE-436
CVE-2026-27444Shared CWE-436
CVE-2026-27896Shared CWE-436
CVE-2026-0958Shared CWE-436
CVE-2025-25292Shared CWE-436

References