CVE-2026-25223
Published: 03 February 2026
Summary
CVE-2026-25223 is a high-severity Interpretation Conflict (CWE-436) vulnerability in Fastify Fastify. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-25223 is a validation bypass vulnerability in Fastify, a fast and low-overhead web framework for Node.js, affecting versions prior to 5.7.2. The flaw allows attackers to completely circumvent request body validation schemas that are specified based on the Content-Type header. This is achieved by appending a tab character (\t) followed by arbitrary content to the Content-Type header, enabling the server to process the request body as the original content type without enforcing the associated validation schema. The issue is classified under CWE-436 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
Any unauthenticated remote attacker who can send HTTP requests to an affected Fastify server can exploit this vulnerability with low complexity and no user interaction required. By crafting a malicious Content-Type header, the attacker bypasses body validation, allowing the submission of payloads that violate schema rules but are still parsed and processed according to the intended content type. This could lead to integrity impacts, such as injecting malformed data, executing unintended logic, or enabling further attacks depending on the application's validation usage.
The vulnerability has been patched in Fastify version 5.7.2. Mitigation involves upgrading to this version or later. Details on the fix are documented in the Fastify GitHub security advisory (GHSA-jx2c-rxcm-jvmq), the patching commit (32d7b6add39ddf082d92579a58bea7018c5ac821), and related code changes in content-type-parser.js and validation.js.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5157
Vulnerability details
Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\t)…
more
followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type. This issue has been patched in version 5.7.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote unauthenticated bypass of server-side request body validation in a public-facing Node.js web framework (Fastify), enabling malformed payload submission to a web application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates validation of all system inputs including HTTP request headers and bodies to prevent bypasses via manipulated Content-Type headers like those appending tab characters.
Requires timely identification, reporting, and remediation of flaws such as the Fastify validation bypass, enabling upgrades to patched versions like 5.7.2.
Restricts harmful information system inputs such as malformed Content-Type headers, providing an additional layer against validation schema circumvention.