Listen to this Post
How the CVE Works
CVE-2025-1234 affects Fastify versions 5.0.0 to 5.3.0 and 4.9.0, where applications using content-type-based validation can be bypassed by manipulating the `Content-Type` header. Attackers can alter the header with different casing, extra whitespace, or malformed parameters (e.g., `application/JSON` instead of `application/json` or text/html ;). This bypasses schema validation checks, potentially allowing malicious payloads to reach backend logic. The issue was partially fixed in v5.3.1 and fully resolved in v5.3.2 and v4.9.1.
DailyCVE Form
Platform: Fastify
Version: 5.0.0-5.3.0, 4.9.0
Vulnerability: Validation Bypass
Severity: Medium
Date: 2025-04-18
Prediction: Patch expected by 2025-04-25
What Undercode Say
Check Fastify version npm list fastify Example exploit curl request curl -X POST -H "Content-Type: application/JSON " http://vulnerable-app/api Mitigation command npm update fastify --save
How Exploit
- Manipulate `Content-Type` headers (e.g.,
TEXT/XML,application/json;). - Submit malformed requests to bypass validation.
- Deliver payloads typically blocked by schema checks.
Protection from this CVE
- Upgrade to Fastify ≥5.3.2 or ≥4.9.1.
- Avoid per-content-type validation.
- Sanitize headers server-side.
Impact
- Unauthorized data submission.
- Potential injection attacks.
- Schema enforcement failure.
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
