EXECUTIVE SUMMARY:
The Fastify framework suffers from a high-severity input validation vulnerability CVE-2026-25223 that allows attackers to bypass request body validation by manipulating the Content-Type header using a tab character. This issue affects Fastify versions prior to 5.7.2, where improper parsing of headers results in schema validation being skipped entirely. The vulnerability has been assigned a CVSS v3 base score of 7.5 (High), reflecting its network-exploitable nature and low attack complexity. No authentication or user interaction is required to exploit this flaw, increasing its exposure in internet-facing applications. Successful exploitation may allow attackers to submit malicious or unexpected payloads that bypass validation controls. Since Fastify relies heavily on strict body validation to enforce application logic, this weakness can undermine data integrity. Applications processing untrusted input are particularly at risk if validation is assumed to be enforced.
RECOMMENDATION:
We strongly recommend you update Fastify to version 5.7.2.
REFERENCES:
The following reports contain further technical details: