Find, fix and prevent vulnerabilities in your code.
high severity
- Vulnerable module: fastify
- Introduced through: fastify@4.29.1
Detailed paths
-
Introduced through: fastify-hello-world@Viorel1989/fastify-hello-world#326d88e49d6e85955c5ed91062c8ea5c0e638fdd › fastify@4.29.1Remediation: Upgrade to fastify@5.7.2.
Overview
fastify is an overhead web framework, for Node.js.
Affected versions of this package are vulnerable to Interpretation Conflict via the Content-Type header processing. An attacker can bypass body validation by appending a tab character (\t) and arbitrary content to the Content-Type header, causing the server to treat the body as the intended type without enforcing validation rules.
Note: This vulnerability affects all Fastify users who rely on Content-Type-based body validation schemas to enforce data integrity or security constraints.
Workaround
This vulnerability can be mitigated by implementing a custom onRequest hook to reject requests containing tab characters in the Content-Type header.
Remediation
Upgrade fastify to version 5.7.2 or higher.
References
medium severity
- Vulnerable module: fastify
- Introduced through: fastify@4.29.1
Detailed paths
-
Introduced through: fastify-hello-world@Viorel1989/fastify-hello-world#326d88e49d6e85955c5ed91062c8ea5c0e638fdd › fastify@4.29.1Remediation: Upgrade to fastify@5.7.3.
Overview
fastify is an overhead web framework, for Node.js.
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the sendWebStream function. An attacker can cause excessive memory consumption by sending a slow or non-reading client request, leading to unbounded buffering and severe performance degradation or process crashes.
Note: Only applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted
Workaround
This vulnerability can be mitigated by avoiding Fastify Web Streams in responses and instead using Node.js streams or buffered payloads.
Remediation
Upgrade fastify to version 5.7.3 or higher.
References
medium severity
new
- Vulnerable module: fastify
- Introduced through: fastify@4.29.1
Detailed paths
-
Introduced through: fastify-hello-world@Viorel1989/fastify-hello-world#326d88e49d6e85955c5ed91062c8ea5c0e638fdd › fastify@4.29.1Remediation: Upgrade to fastify@5.8.3.
Overview
fastify is an overhead web framework, for Node.js.
Affected versions of this package are vulnerable to Use of Less Trusted Source in the request.protocol and request.host getters. An attacker can manipulate the perceived protocol and host by sending crafted X-Forwarded-Proto and X-Forwarded-Host headers after bypassing the proxy and connecting directly to the application port, potentially impacting security decisions such as HTTPS enforcement, secure cookie flags, CSRF origin checks, URL construction, or host-based routing.
Note: This is only exploitable if the application uses the trustProxy option with a restrictive trust function and relies on request.protocol or request.host for security decisions, and the attacker is able to connect directly to the application, bypassing the proxy.
Remediation
Upgrade fastify to version 5.8.3 or higher.