CVE-2026-25223

Name: CVE-2026-25223
Creator: NVD / NIST
Published: 2026-02-03T22:16:31.13+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.5/10EPSS 0.52%

Last modified Jun 17, 2026

CVE-2026-25223 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. EPSS estimates a 0.52% chance of exploitation in the next 30 days.

Description

Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type. This issue has been patched in version 5.7.2.

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Probability

0.52%

39.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-436

Affected Software

Vendor	Product	Versions
Fastify	Fastify	< 5.7.2

References

https://fastify.dev/docs/latest/Reference/Validation-and-SerializationProduct, Technical Description
https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/content-type-parser.js#L125Product
https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/validation.js#L272Product
https://github.com/fastify/fastify/commit/32d7b6add39ddf082d92579a58bea7018c5ac821Patch
https://github.com/fastify/fastify/security/advisories/GHSA-jx2c-rxcm-jvmqMitigation, Vendor Advisory
https://hackerone.com/reports/3464114Permissions Required

Timeline

Published: Feb 3, 2026
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2026-25223?

How severe is CVE-2026-25223?

CVE-2026-25223 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 0.52% probability of exploitation in the next 30 days.

How do I fix CVE-2026-25223?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2026-25223?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST