Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Fastify Fails to Reject Malformed Content-Type Headers
CVE-2026-3419
GHSA-573f-x89g-hqp9
GHSA-573f-x89g-hqp9
Summary
Fastify incorrectly allows requests with invalid Content-Type headers, potentially allowing an attacker to bypass validation and have the request processed by the server. This can happen when a request contains extra characters after the subtype token, like 'application/json garbage'. To fix this, update to Fastify version 5.8.1 or deploy a web application firewall (WAF) rule to protect against this issue.
What to do
- Update eomm fastify to version 5.8.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| eomm | fastify | > 5.7.2 , <= 5.8.0 | 5.8.1 |
| eomm | fastify | > 5.7.2 , <= 5.8.1 | 5.8.1 |
Original title
Fastify's Missing End Anchor in "subtypeNameReg" Allows Malformed Content-Types to Pass Validation
Original description
# Description
Fastify incorrectly accepts malformed `Content-Type` headers containing trailing characters after the subtype token, in violation of [RFC 9110 §8.3.1](https://httpwg.org/specs/rfc9110.html#field.content-type). For example, a request sent with `Content-Type: application/json garbage` passes validation and is processed normally, rather than being rejected with `415 Unsupported Media Type`.
When regex-based content-type parsers are in use (a documented Fastify feature), the malformed value is matched against registered parsers using the full string including the trailing garbage. This means a request with an invalid content-type may be routed to and processed by a parser it should never have reached.
## Impact
An attacker can send requests with RFC-invalid `Content-Type` headers that bypass validity checks, reach content-type parser matching, and be processed by the server. Requests that should be rejected at the validation stage are instead handled as if the content-type were valid.
## Workarounds
Deploy a WAF rule to protect against this
## Fix
The fix is available starting with v5.8.1.
Fastify incorrectly accepts malformed `Content-Type` headers containing trailing characters after the subtype token, in violation of [RFC 9110 §8.3.1](https://httpwg.org/specs/rfc9110.html#field.content-type). For example, a request sent with `Content-Type: application/json garbage` passes validation and is processed normally, rather than being rejected with `415 Unsupported Media Type`.
When regex-based content-type parsers are in use (a documented Fastify feature), the malformed value is matched against registered parsers using the full string including the trailing garbage. This means a request with an invalid content-type may be routed to and processed by a parser it should never have reached.
## Impact
An attacker can send requests with RFC-invalid `Content-Type` headers that bypass validity checks, reach content-type parser matching, and be processed by the server. Requests that should be rejected at the validation stage are instead handled as if the content-type were valid.
## Workarounds
Deploy a WAF rule to protect against this
## Fix
The fix is available starting with v5.8.1.
nvd CVSS3.1
5.3
Vulnerability type
CWE-185
- https://cna.openjsf.org/security-advisories.html
- https://github.com/advisories/GHSA-573f-x89g-hqp9
- https://github.com/fastify/fastify/commit/67f6c9b32cb3623d3c9470cc17ed830dd2f083...
- https://httpwg.org/specs/rfc9110.html#field.content-type
- https://github.com/fastify/fastify/security/advisories/GHSA-573f-x89g-hqp9
- https://www.cve.org/CVERecord?id=CVE-2026-3419
- https://nvd.nist.gov/vuln/detail/CVE-2026-3419
- https://github.com/fastify/fastify Product
Published: 5 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026