{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/validation-bypass/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-33806"},{"cvss":7.5,"id":"CVE-2025-32442"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["fastify","validation-bypass","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eFastify v5.x (specifically versions 5.3.2 through 5.8.4) contains a vulnerability where request body validation schemas specified via \u003ccode\u003eschema.body.content\u003c/code\u003e can be bypassed by prepending a single space character (\u003ccode\u003e\\x20\u003c/code\u003e) to the \u003ccode\u003eContent-Type\u003c/code\u003e header. This flaw, assigned CVE-2026-33806, arises from inconsistent handling of the Content-Type header during parsing and validation.  The body is parsed correctly as JSON, but schema validation is skipped entirely. This is a regression introduced by commit \u003ccode\u003ef3d2bcb\u003c/code\u003e (April 18, 2025), a fix for CVE-2025-32442. This vulnerability allows attackers to send malicious payloads that bypass intended data integrity and security checks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Fastify application using \u003ccode\u003eschema.body.content\u003c/code\u003e for request body validation.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request with a JSON payload designed to violate the validation schema (e.g., exceeding allowed amount or injecting invalid admin value).\u003c/li\u003e\n\u003cli\u003eThe attacker prepends a single space character to the \u003ccode\u003eContent-Type\u003c/code\u003e header (e.g., \u003ccode\u003e Content-Type: application/json\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe Fastify server parses the \u003ccode\u003eContent-Type\u003c/code\u003e header using \u003ccode\u003elib/validation.js\u003c/code\u003e which splits the string, resulting in an empty string content type.\u003c/li\u003e\n\u003cli\u003eThe server fails to locate a validator associated with the empty string content type.\u003c/li\u003e\n\u003cli\u003eRequest body validation is skipped, and the malicious payload is processed by the application.\u003c/li\u003e\n\u003cli\u003eThe application processes the invalid data, potentially leading to unauthorized actions or data corruption.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as transferring an excessive amount, manipulating data, or gaining unauthorized privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability affects Fastify applications using \u003ccode\u003eschema.body.content\u003c/code\u003e for request body validation. By prepending a single space to the Content-Type header, attackers can bypass these validations. Successful exploitation allows an attacker to inject malicious payloads, leading to data corruption, unauthorized access, or other security breaches. While the exact number of victims is unknown, any application within the vulnerable version range is susceptible. This vulnerability requires no authentication and has zero complexity — it is a single-character modification to an HTTP header.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the recommended fix by adding \u003ccode\u003etrimStart()\u003c/code\u003e before the split in \u003ccode\u003egetEssenceMediaType\u003c/code\u003e within the Fastify framework to address CVE-2026-33806.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Fastify Validation Bypass Attempt\u0026rdquo; to your SIEM to identify attempts to exploit this vulnerability by monitoring for requests with leading spaces in the Content-Type header.\u003c/li\u003e\n\u003cli\u003eUpgrade Fastify to a version beyond 5.8.4 to mitigate CVE-2026-33806.\u003c/li\u003e\n\u003cli\u003eReview all Fastify routes that use \u003ccode\u003eschema.body.content\u003c/code\u003e for potential vulnerabilities related to content-type validation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T19:26:39Z","date_published":"2026-04-15T19:26:39Z","id":"/briefs/2026-06-27-fastify-validation-bypass/","summary":"Fastify v5.x is vulnerable to a body schema validation bypass, allowing attackers to circumvent request body validation by prepending a single space to the Content-Type header, potentially compromising data integrity and security constraints.","title":"Fastify Body Schema Validation Bypass via Leading Space in Content-Type Header","url":"https://feed.craftedsignal.io/briefs/2026-06-27-fastify-validation-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Validation-Bypass","version":"https://jsonfeed.org/version/1.1"}