CVE-2025-32442

April 18, 2025, 9:15 p.m.

7.5
High

Description

Fastify is a fast and low overhead web framework, for Node.js. In versions 5.0.0 to 5.3.0, applications that specify different validation strategies for different content types have a possibility to bypass validation by providing a _slightly altered_ content type such as with different casing or altered whitespacing before `;`. This was patched in v5.3.1, but the initial patch did not cover all problems. This has been fully patched in v5.3.2. A workaround involves not specifying individual content types in the schema.

Product(s) Impacted

Vendor Product Versions
Fastify
  • Fastify
  • 5.0.0-5.3.0, 5.3.1

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-1287
Improper Validation of Specified Type of Input
The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a fastify fastify 5.0.0-5.3.0 / / / / / / /
a fastify fastify 5.3.1 / / / / / / /

References

https://github.com/fastify/fastify/commit/436da4c06dfbbb8c24adee3a64de0c51e4f47418
https://github.com/fastify/fastify/commit/f3d2bcb3963cd570a582e5d39aab01a9ae692fe4
https://github.com/fastify/fastify/security/advisories/GHSA-mg2h-6x62-wpwc
https://hackerone.com/reports/3087928

Tags

security-advisories@github.com
CWE-1287
2025-04-18
CVE-2025-32442

CVSS Score

7.5 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: HIGH
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

    View Vector String

Timeline

Published: April 18, 2025, 4:15 p.m.
Last Modified: April 18, 2025, 9:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.