fix(deps): update dependency fastify to v5.8.3 [security]#737
Open
renovate[bot] wants to merge 1 commit into
Open
fix(deps): update dependency fastify to v5.8.3 [security]#737renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
renovate
Bot
force-pushed
the
renovate/npm-fastify-vulnerability
branch
from
April 24, 2025 09:49
77060e3 to
4b95665
Compare
renovate
Bot
force-pushed
the
renovate/npm-fastify-vulnerability
branch
from
May 19, 2025 21:29
4b95665 to
ccf6f0b
Compare
renovate
Bot
force-pushed
the
renovate/npm-fastify-vulnerability
branch
2 times, most recently
from
June 4, 2025 07:03
f677419 to
a2a6ac1
Compare
renovate
Bot
force-pushed
the
renovate/npm-fastify-vulnerability
branch
from
July 2, 2025 15:00
a2a6ac1 to
7de2a40
Compare
renovate
Bot
force-pushed
the
renovate/npm-fastify-vulnerability
branch
from
August 10, 2025 15:01
7de2a40 to
758dfe5
Compare
|
All alerts resolved. Learn more about Socket for GitHub. This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored. |
renovate
Bot
force-pushed
the
renovate/npm-fastify-vulnerability
branch
2 times, most recently
from
August 19, 2025 16:32
2d1cfc3 to
626421a
Compare
renovate
Bot
force-pushed
the
renovate/npm-fastify-vulnerability
branch
from
August 31, 2025 10:17
626421a to
159faab
Compare
renovate
Bot
force-pushed
the
renovate/npm-fastify-vulnerability
branch
from
September 25, 2025 21:10
159faab to
4658eb2
Compare
renovate
Bot
force-pushed
the
renovate/npm-fastify-vulnerability
branch
from
October 21, 2025 16:04
4658eb2 to
72d8521
Compare
renovate
Bot
force-pushed
the
renovate/npm-fastify-vulnerability
branch
from
November 10, 2025 16:04
72d8521 to
2c1a9b2
Compare
renovate
Bot
force-pushed
the
renovate/npm-fastify-vulnerability
branch
from
December 3, 2025 20:00
2c1a9b2 to
0978ea0
Compare
renovate
Bot
force-pushed
the
renovate/npm-fastify-vulnerability
branch
from
December 31, 2025 14:56
0978ea0 to
541fa9b
Compare
renovate
Bot
force-pushed
the
renovate/npm-fastify-vulnerability
branch
from
January 8, 2026 17:15
541fa9b to
0f83609
Compare
renovate
Bot
force-pushed
the
renovate/npm-fastify-vulnerability
branch
from
January 19, 2026 17:50
0f83609 to
658ed4d
Compare
renovate
Bot
force-pushed
the
renovate/npm-fastify-vulnerability
branch
from
February 2, 2026 22:47
658ed4d to
49ed3b6
Compare
renovate
Bot
force-pushed
the
renovate/npm-fastify-vulnerability
branch
from
February 3, 2026 02:34
49ed3b6 to
e18349e
Compare
renovate
Bot
force-pushed
the
renovate/npm-fastify-vulnerability
branch
from
February 12, 2026 11:12
e18349e to
a8e5727
Compare
renovate
Bot
force-pushed
the
renovate/npm-fastify-vulnerability
branch
from
February 12, 2026 17:16
a8e5727 to
8f15ac9
Compare
renovate
Bot
force-pushed
the
renovate/npm-fastify-vulnerability
branch
from
February 16, 2026 12:45
8f15ac9 to
8305012
Compare
renovate
Bot
force-pushed
the
renovate/npm-fastify-vulnerability
branch
from
February 16, 2026 17:49
8305012 to
aa9ca38
Compare
renovate
Bot
force-pushed
the
renovate/npm-fastify-vulnerability
branch
from
March 26, 2026 18:35
268ce81 to
45c6879
Compare
renovate
Bot
force-pushed
the
renovate/npm-fastify-vulnerability
branch
from
March 26, 2026 21:04
45c6879 to
17c9a0f
Compare
renovate
Bot
force-pushed
the
renovate/npm-fastify-vulnerability
branch
3 times, most recently
from
April 1, 2026 17:53
96a7b06 to
c719c7f
Compare
renovate
Bot
force-pushed
the
renovate/npm-fastify-vulnerability
branch
from
April 1, 2026 23:58
c719c7f to
9ceecae
Compare
renovate
Bot
force-pushed
the
renovate/npm-fastify-vulnerability
branch
from
April 8, 2026 20:08
9ceecae to
d4dcb6d
Compare
renovate
Bot
force-pushed
the
renovate/npm-fastify-vulnerability
branch
from
April 8, 2026 23:59
d4dcb6d to
aae9eeb
Compare
renovate
Bot
force-pushed
the
renovate/npm-fastify-vulnerability
branch
from
April 15, 2026 10:05
aae9eeb to
e0c6acf
Compare
renovate
Bot
force-pushed
the
renovate/npm-fastify-vulnerability
branch
from
April 16, 2026 09:02
e0c6acf to
30e3847
Compare
renovate
Bot
force-pushed
the
renovate/npm-fastify-vulnerability
branch
from
April 16, 2026 17:01
30e3847 to
664fdac
Compare
renovate
Bot
force-pushed
the
renovate/npm-fastify-vulnerability
branch
from
April 16, 2026 23:48
664fdac to
76bd001
Compare
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
5.2.1→5.8.3^3.24.0→^5.8.3Fastify vulnerable to invalid content-type parsing, which could lead to validation bypass
CVE-2025-32442 / GHSA-mg2h-6x62-wpwc
More information
Details
Impact
In applications that specify different validation strategies for different content types, it's possible to bypass the validation by providing a slightly altered content type such as with different casing or altered whitespacing before
;.Users using the the following pattern are affected:
User using the following pattern are not affected:
Patches
This was patched in v5.3.1, but unfortunately it did not cover all problems. This has been fully patched in v5.3.2.
Version v4.9.0 was also affected by this issue. This has been fully patched in v4.9.1.
Workarounds
Do not specify multiple content types in the schema.
References
Are there any links users can visit to find out more?
https://hackerone.com/reports/3087928
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Fastify's Content-Type header tab character allows body validation bypass
CVE-2026-25223 / GHSA-jx2c-rxcm-jvmq
More information
Details
Impact
A validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (
\t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type.For example, a request with
Content-Type: application/json\tawill bypass JSON schema validation but still be parsed as JSON.This vulnerability affects all Fastify users who rely on Content-Type-based body validation schemas to enforce data integrity or security constraints. The concrete impact depends on the handler implementation and the level of trust placed in the validated request body, but at the library level, this allows complete bypass of body validation for any handler using Content-Type-discriminated schemas.
This issue is a regression or missed edge case from the fix for a previously reported vulnerability.
Patches
This vulnerability has been patched in Fastify v5.7.2. All users should upgrade to this version or later immediately.
Workarounds
If upgrading is not immediately possible, user can implement a custom
onRequesthook to reject requests containing tab characters in the Content-Type header:Resources
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Fastify Vulnerable to DoS via Unbounded Memory Allocation in sendWebStream
CVE-2026-25224 / GHSA-mrq3-vjjr-p77c
More information
Details
Impact
A Denial of Service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a
ReadableStream(orResponsewith a Web Stream body) viareply.send()are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation.Patches
The issue is fixed in Fastify 5.7.3. Users should upgrade to 5.7.3 or later.
Workarounds
Avoid sending Web Streams from Fastify responses (e.g.,
ReadableStreamorResponsebodies). Use Node.js streams (stream.Readable) or buffered payloads instead until the project can upgrade.References
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
fastify: request.protocol and request.host Spoofable via X-Forwarded-Proto/Host from Untrusted Connections
CVE-2026-3635 / GHSA-444r-cwp2-x5xf
More information
Details
Summary
When
trustProxyis configured with a restrictive trust function (e.g., a specific IP liketrustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), therequest.protocolandrequest.hostgetters readX-Forwarded-ProtoandX-Forwarded-Hostheaders from any connection — including connections from untrusted IPs. This allows an attacker connecting directly to Fastify (bypassing the proxy) to spoof both the protocol and host seen by the application.Affected Versions
fastify <= 5.8.2
Impact
Applications using
request.protocolorrequest.hostfor security decisions (HTTPS enforcement, secure cookie flags, CSRF origin checks, URL construction, host-based routing) are affected whentrustProxyis configured with a restrictive trust function.When
trustProxy: true(trust everything), bothhostandprotocoltrust all forwarded headers — this is expected behavior. The vulnerability only manifests with restrictive trust configurations.Severity
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
fastify/fastify (fastify)
v5.8.3Compare Source
This fixes CVE CVE-2026-3635 GHSA-444r-cwp2-x5xf.
What's Changed
New Contributors
Full Changelog: fastify/fastify@v5.8.2...v5.8.3
v5.8.2Compare Source
What's Changed
New Contributors
Full Changelog: fastify/fastify@v5.8.1...v5.8.2
v5.8.1Compare Source
Fixes "Missing End Anchor in "subtypeNameReg" Allows Malformed Content-Types to Pass Validation": GHSA-573f-x89g-hqp9.
CVE-2026-3419
Full Changelog: fastify/fastify@v5.8.0...v5.8.1
v5.8.0Compare Source
What's Changed
tsconfig.eslint.jsonby @mrazauskas in #6524New Contributors
Full Changelog: fastify/fastify@v5.7.4...v5.8.0
v5.7.4Compare Source
Full Changelog: fastify/fastify@v5.7.3...v5.7.4
v5.7.3Compare Source
CVE-2026-25224.What's Changed
Full Changelog: fastify/fastify@v5.7.2...v5.7.3
v5.7.2Compare Source
Parsing of the
content-typeheader has been improved to a strict parser in PR #6414. This means only header values in the form described in RFC 9110 are accepted.What's Changed
New Contributors
Full Changelog: fastify/fastify@v5.7.1...v5.7.2
v5.7.1Compare Source
What's Changed
Full Changelog: fastify/fastify@v5.7.0...v5.7.1
v5.7.0Compare Source
What's Changed
New Contributors
Full Changelog: fastify/fastify@v5.6.2...v5.7.0
v5.6.2Compare Source
What's Changed
@fastify/sseas fastify core plugin to documentation and citgm by @manshusainishab in #6364nbusage by @Fdawgs in #6365New Contributors
Full Changelog: fastify/fastify@v5.6.1...v5.6.2
v5.6.1Compare Source
What's Changed
New Contributors
Full Changelog: fastify/fastify@v5.6.0...v5.6.1
v5.6.0Compare Source
What's Changed
New Contributors
Full Changelog: fastify/fastify@v5.5.0...v5.6.0
v5.5.0Compare Source
What's Changed
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.