Listen to this Post
The vulnerability is a parser‑validator differential caused by inconsistent handling of a leading space character (\x20) in the `Content‑Type` header. The parser in `lib/content‑type.js` applies `trimStart()` before processing, so `’ application/json’` becomes `’application/json’` and the body is parsed correctly. The validator in `lib/validation.js` uses getEssenceMediaType(header), which splits the header on the regex `/[ ;]/` before any trimming. With a leading space, `’ application/json’.split(/[ ;]/, 1)` returns an array containing an empty string because the space is a split delimiter. That empty string is then trimmed (still empty) and used as the content‑type key to look up a validation schema. No schema exists for '', so validation is completely skipped. The body is still parsed (e.g., as JSON) and processed by the route handler. This is a regression introduced by commit `f3d2bcb` (April 18, 2025), which changed the split delimiter from `’;’` to `/[ ;]/` to fix CVE‑2025‑32442. The old code (header.split(';',1)
.trim()</code>) was not vulnerable because `trim()` removed the leading space before the split. The new regex‑based split creates the empty string before any trim occurs. An attacker can bypass all `schema.body.content` validation by sending a single space before any content‑type value, e.g., <code>Content‑Type: application/json</code>. The PoC shows a normal request with `'application/json'` returns 400 (validation blocks an invalid payload), while the same request with `' application/json'` returns 200 and processes the invalid data.
<h2 style="color: blue;">dailycve form:</h2>
Platform: Fastify
Version: 5.x
Vulnerability: Validation bypass
Severity: Critical
date: 2026-04-15
<h2 style="color: blue;">Prediction: 2026-04-22</h2>
<h2 style="color: blue;">What Undercode Say:</h2>
[bash]
Check vulnerable Fastify version
npm list fastify | grep "fastify@5"
Simulate bypass with curl
curl -X POST http://target/transfer \
-H "Content-Type: application/json" \
-d '{"amount":9999,"recipient":"EVIL","admin":true}'
Bypass with leading space
curl -X POST http://target/transfer \
-H "Content-Type: application/json" \
-d '{"amount":9999,"recipient":"EVIL","admin":true}'
Test using fastify.inject (Node.js)
const { inject } = require('fastify');
inject({ method:'POST', url:'/transfer', headers:{'content-type':' application/json'}, payload:'{"amount":9999}' })
Exploit:
Send HTTP POST request with Content‑Type header prefixed by a single space (\x20). Example: Content-Type: application/json. No authentication, zero complexity. Works on any route using `schema.body.content` validation. The body can contain arbitrary data violating schema constraints (e.g., amount >1000, admin=true).
Protection from this CVE:
Update Fastify to version where fix is applied (not yet released as of ). Apply hotfix: modify lib/validation.js, function getEssenceMediaType, add `trimStart()` before split: return header.trimStart().split(/[ ;]/, 1)[bash].trim().toLowerCase(). Alternatively, implement middleware that normalizes `Content‑Type` header by trimming leading/trailing whitespace before Fastify processes it.
Impact:
Full bypass of request body validation for all content types defined via schema.body.content. Attackers can inject malicious data (e.g., exceeding monetary limits, setting admin flags, SQL/NoSQL payloads) without triggering validation errors. No authentication required, remote exploitation. Affects all Fastify v5.x applications that rely on per‑content‑type body validation for security or data integrity.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
