Find, fix and prevent vulnerabilities in your code.
high severity
new
- Vulnerable module: fastify
- Introduced through: fastify@4.29.1
Detailed paths
-
Introduced through: hello-welt@julie-ng/hello-welt#fa0ca0cc4ac5bdb41c6576800bd62ee0a6a69ac4 › fastify@4.29.1Remediation: Upgrade to fastify@5.7.2.
Overview
fastify is an overhead web framework, for Node.js.
Affected versions of this package are vulnerable to Interpretation Conflict via the Content-Type header processing. An attacker can bypass body validation by appending a tab character (\t) and arbitrary content to the Content-Type header, causing the server to treat the body as the intended type without enforcing validation rules.
Note: This vulnerability affects all Fastify users who rely on Content-Type-based body validation schemas to enforce data integrity or security constraints.
Workaround
This vulnerability can be mitigated by implementing a custom onRequest hook to reject requests containing tab characters in the Content-Type header.
Remediation
Upgrade fastify to version 5.7.2 or higher.
References
medium severity
new
- Vulnerable module: fastify
- Introduced through: fastify@4.29.1
Detailed paths
-
Introduced through: hello-welt@julie-ng/hello-welt#fa0ca0cc4ac5bdb41c6576800bd62ee0a6a69ac4 › fastify@4.29.1Remediation: Upgrade to fastify@5.7.3.
Overview
fastify is an overhead web framework, for Node.js.
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the sendWebStream function. An attacker can cause excessive memory consumption by sending a slow or non-reading client request, leading to unbounded buffering and severe performance degradation or process crashes.
Note: Only applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted
Workaround
This vulnerability can be mitigated by avoiding Fastify Web Streams in responses and instead using Node.js streams or buffered payloads.
Remediation
Upgrade fastify to version 5.7.3 or higher.