CVE-2025-32442
Last modified
CVE-2025-32442 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. Fastify is a fast and low overhead web framework, for Node.js. In versions 5.0.0 to 5.3.0 as well as version 4.29.0, applications that specify different validation strategies for different content types have a possibility to bypass validation by providing a _slightly altered_ content type such as with different casing or altered whitespacing before `;`. EPSS estimates a 0.64% chance of exploitation in the next 30 days.
Description
Fastify is a fast and low overhead web framework, for Node.js. In versions 5.0.0 to 5.3.0 as well as version 4.29.0, applications that specify different validation strategies for different content types have a possibility to bypass validation by providing a _slightly altered_ content type such as with different casing or altered whitespacing before `;`. This was patched in v5.3.1, but the initial patch did not cover all problems. This has been fully patched in v5.3.2 and v4.29.1. A workaround involves not specifying individual content types in the schema.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Fastify | Fastify | >= 5.0.0, < 5.3.2 |
| Fastify | Fastify | 4.29.0 |
References
- https://github.com/fastify/fastify/security/advisories/GHSA-mg2h-6x62-wpwcExploit, Third Party Advisory
- https://hackerone.com/reports/3087928Permissions Required
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2025-32442?
How severe is CVE-2025-32442?
How do I fix CVE-2025-32442?
Are you affected by CVE-2025-32442?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST