Main Vulnerability Database Vulnerabilities #VU125978

#VU125978 Incorrect Regular Expression in Fastify - CVE-2026-3419

Published: April 14, 2026

Vulnerability identifier: #VU125978

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-3419

CWE-ID: CWE-185

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Fastify

Software vendor:
fastify.io

Description

The vulnerability allows a remote attacker to bypass content-type validation and submit malformed requests that are processed by the server.

The vulnerability exists due to incorrect regular expression in subtypeNameReg when validating Content-Type headers containing trailing characters after the subtype token. A remote attacker can send a specially crafted request with a malformed Content-Type header to bypass content-type validation and submit malformed requests that are processed by the server.

When regex-based content-type parsers are in use, the malformed header value may be matched against registered parsers using the full string including the trailing garbage.

Remediation

Install security update from vendor's website.

External links

https://github.com/fastify/fastify/security/advisories/GHSA-573f-x89g-hqp9

#VU125978 Incorrect Regular Expression in Fastify - CVE-2026-3419

Description

Remediation

External links

Please verify you're human