{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25223", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-30T14:44:47.327Z", "datePublished": "2026-02-03T21:21:40.268Z", "dateUpdated": "2026-02-04T21:18:16.693Z"}, "containers": {"cna": {"title": "Fastify's Content-Type header tab character allows body validation bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-436", "lang": "en", "description": "CWE-436: Interpretation Conflict", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/fastify/fastify/security/advisories/GHSA-jx2c-rxcm-jvmq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/fastify/fastify/security/advisories/GHSA-jx2c-rxcm-jvmq"}, {"name": "https://github.com/fastify/fastify/commit/32d7b6add39ddf082d92579a58bea7018c5ac821", "tags": ["x_refsource_MISC"], "url": "https://github.com/fastify/fastify/commit/32d7b6add39ddf082d92579a58bea7018c5ac821"}, {"name": "https://hackerone.com/reports/3464114", "tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/3464114"}, {"name": "https://fastify.dev/docs/latest/Reference/Validation-and-Serialization", "tags": ["x_refsource_MISC"], "url": "https://fastify.dev/docs/latest/Reference/Validation-and-Serialization"}, {"name": "https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/content-type-parser.js#L125", "tags": ["x_refsource_MISC"], "url": "https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/content-type-parser.js#L125"}, {"name": "https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/validation.js#L272", "tags": ["x_refsource_MISC"], "url": "https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/validation.js#L272"}], "affected": [{"vendor": "fastify", "product": "fastify", "versions": [{"version": "< 5.7.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-03T21:21:40.268Z"}, "descriptions": [{"lang": "en", "value": "Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\\t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type. This issue has been patched in version 5.7.2."}], "source": {"advisory": "GHSA-jx2c-rxcm-jvmq", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-04T21:18:10.359742Z", "id": "CVE-2026-25223", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T21:18:16.693Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25223", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-04T21:18:10.359742Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T21:18:14.142Z"}}], "cna": {"title": "Fastify's Content-Type header tab character allows body validation bypass", "source": {"advisory": "GHSA-jx2c-rxcm-jvmq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "fastify", "product": "fastify", "versions": [{"status": "affected", "version": "< 5.7.2"}]}], "references": [{"url": "https://github.com/fastify/fastify/security/advisories/GHSA-jx2c-rxcm-jvmq", "name": "https://github.com/fastify/fastify/security/advisories/GHSA-jx2c-rxcm-jvmq", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/fastify/fastify/commit/32d7b6add39ddf082d92579a58bea7018c5ac821", "name": "https://github.com/fastify/fastify/commit/32d7b6add39ddf082d92579a58bea7018c5ac821", "tags": ["x_refsource_MISC"]}, {"url": "https://hackerone.com/reports/3464114", "name": "https://hackerone.com/reports/3464114", "tags": ["x_refsource_MISC"]}, {"url": "https://fastify.dev/docs/latest/Reference/Validation-and-Serialization", "name": "https://fastify.dev/docs/latest/Reference/Validation-and-Serialization", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/content-type-parser.js#L125", "name": "https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/content-type-parser.js#L125", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/validation.js#L272", "name": "https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/validation.js#L272", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\\t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type. This issue has been patched in version 5.7.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-436", "description": "CWE-436: Interpretation Conflict"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-03T21:21:40.268Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25223", "state": "PUBLISHED", "dateUpdated": "2026-02-04T21:18:16.693Z", "dateReserved": "2026-01-30T14:44:47.327Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-03T21:21:40.268Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fastify:fastify:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "51FAFCEB-4FBC-4777-BC6D-91713CA5828A", "versionEndExcluding": "5.7.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\\t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type. This issue has been patched in version 5.7.2."}], "id": "CVE-2026-25223", "lastModified": "2026-02-10T20:05:15.127", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-03T22:16:31.130", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Technical Description"], "url": "https://fastify.dev/docs/latest/Reference/Validation-and-Serialization"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/content-type-parser.js#L125"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/validation.js#L272"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/fastify/fastify/commit/32d7b6add39ddf082d92579a58bea7018c5ac821"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Mitigation"], "url": "https://github.com/fastify/fastify/security/advisories/GHSA-jx2c-rxcm-jvmq"}, {"source": "security-advisories@github.com", "tags": ["Permissions Required"], "url": "https://hackerone.com/reports/3464114"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-436"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "Fastify: Fastify: Validation bypass due to malformed Content-Type header leading to integrity impact", "id": "2436560", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2436560"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "status": "draft"}, "cwe": "CWE-179", "details": ["A flaw was found in Fastify, a web framework for Node.js. A remote attacker can exploit a validation bypass vulnerability by appending a tab character followed by arbitrary content to the Content-Type header. This circumvents the request body validation schemas, allowing the server to process the body as the original content type without proper validation. This could lead to unexpected data processing and potential integrity impact."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-25223", "package_state": [{"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/bootc-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/disk-image-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-dashboard-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-dashboard-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-mod-arch-gen-ai-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-mod-arch-model-registry-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Affected", "package_name": "devspaces/dashboard-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}], "public_date": "2026-02-03T21:21:40Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-25223\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-25223\nhttps://fastify.dev/docs/latest/Reference/Validation-and-Serialization\nhttps://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/content-type-parser.js#L125\nhttps://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/validation.js#L272\nhttps://github.com/fastify/fastify/commit/32d7b6add39ddf082d92579a58bea7018c5ac821\nhttps://github.com/fastify/fastify/security/advisories/GHSA-jx2c-rxcm-jvmq\nhttps://hackerone.com/reports/3464114"], "statement": "This IMPORTANT vulnerability in Fastify, a Node.js web framework, allows remote attackers to bypass request body validation by manipulating the Content-Type header. This can lead to unexpected data processing and integrity issues in applications. Red Hat products such as Red Hat Enterprise Linux AI, Red Hat OpenShift AI, and Red Hat OpenShift Dev Spaces are affected.", "threat_severity": "Important"}

{"created": "2026-02-04T12:05:26.727842+00:00", "updated": "2026-02-04T12:05:26.727868+00:00", "vendors": ["fastify", "fastify$PRODUCT$fastify"]}