Listen to this Post
The vulnerability CVE-2024-58027 exploits a flaw in Fastify’s content-type parsing logic for request body validation. When a schema is defined for a specific `Content-Type` (e.g., application/json), Fastify matches the header against this type to apply the correct validation rules. The bug allows an attacker to append a tab character (\t) followed by any string to the declared content type in the HTTP request header. For instance, a header of `Content-Type: application/json\tx` is incorrectly processed. The validation system fails to find a matching schema for the malformed type application/json\tx, leading to a bypass of all defined validation constraints. However, the underlying body parser still correctly identifies and processes the payload as the original type (e.g., JSON), because the parser typically splits the header on semicolons or truncates at the first non-whitespace control character. This discrepancy between the validation router and the body parser creates a complete validation bypass. It is a regression from a prior fix intended to handle whitespace in headers, where the tab character was not properly accounted for as a delimiter.
Platform: Fastify
Version: <5.7.2
Vulnerability: Validation Bypass
Severity: Critical
Date: 2024-11-22
Prediction: 2024-11-22
What Undercode Say:
curl -H "Content-Type: application/json\ta" -d '{"malicious":"data"}' http://target/
fastify.addHook('onRequest', async (request, reply) => {
const ct = request.headers['content-type'];
if (ct && ct.includes('\t')) {
reply.code(400).send();
}
});
How Exploit:
`Content-Type: application/json\tINJECT`
Protection from this CVE:
Upgrade to v5.7.2.
Implement provided `onRequest` hook.
Impact:
Complete schema validation bypass.
Potential data integrity compromise.
Security constraint circumvention.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

