{
  "canonical_id": "fastify--CVE-2026-3419",
  "system_id": "fastify",
  "display_name": "Fastify",
  "category": "frameworks",
  "advisory_mode": "core",
  "title": "Fastify's Missing End Anchor in \"subtypeNameReg\" Allows Malformed Content-Types to Pass Validation",
  "summary": "# Description\n\nFastify incorrectly accepts malformed `Content-Type` headers containing trailing characters after the subtype token, in violation of [RFC 9110 \u00a78.3.1](https://httpwg.org/specs/rfc9110.html#field.content-type). For example, a request sent with `Content-Type: application/json garbage` passes validation and is processed normally, rather than being rejected with `415 Unsupported Media Type`.\n\nWhen regex-based content-type parsers are in use (a documented Fastify feature), the malformed value is matched against registered parsers using the full string including the trailing garbage. This means a request with an invalid content-type may be routed to and processed by a parser it should never have reached.\n\n## Impact\n\nAn attacker can send requests with RFC-invalid `Content-Type` headers that bypass validity checks, reach content-type parser matching, and be processed by the server. Requests that should be rejected at the validation stage are instead handled as if the content-type were valid.\n\n## Workarounds\n\nDeploy a WAF rule to protect against this\n\n## Fix\n\nThe fix is available starting with v5.8.1.",
  "published_at": "2026-03-05T21:29:54Z",
  "updated_at": "2026-03-16T03:05:26.332715Z",
  "severity": "low",
  "cvss_score": 3.1,
  "exploit_status": "unknown",
  "source_confidence": "official",
  "official_source_url": "https://github.com/fastify/fastify/security/advisories/GHSA-573f-x89g-hqp9",
  "secondary_source_urls": [
    "https://nvd.nist.gov/vuln/detail/CVE-2026-3419",
    "https://github.com/fastify/fastify/commit/67f6c9b32cb3623d3c9470cc17ed830dd2f083d7",
    "https://cna.openjsf.org/security-advisories.html",
    "https://github.com/advisories/GHSA-573f-x89g-hqp9",
    "https://github.com/fastify/fastify",
    "https://httpwg.org/specs/rfc9110.html#field.content-type",
    "https://www.cve.org/CVERecord?id=CVE-2026-3419"
  ],
  "aliases": [
    "CVE-2026-3419",
    "GHSA-573f-x89g-hqp9"
  ],
  "cve_ids": [
    "CVE-2026-3419"
  ],
  "ghsa_ids": [
    "GHSA-573f-x89g-hqp9"
  ],
  "osv_ids": [
    "GHSA-573f-x89g-hqp9"
  ],
  "affected_versions": [
    "introduced=5.7.2, fixed<5.8.1"
  ],
  "fixed_versions": [
    "5.8.1"
  ],
  "package_name": "fastify",
  "render_markdown": true,
  "case_path": "07-framework-security/frameworks/fastify/cases/fastify-cve-2026-3419.md",
  "secure_code_topics": [
    "proxy-trust-boundary",
    "ssrf-url-validation",
    "xss-output-encoding",
    "token-cookie-storage"
  ],
  "status": "generated",
  "triage_reasons": [],
  "verification_status": "triage-manual",
  "verification_mode": "synthetic",
  "last_verified_at": null,
  "last_run_id": null,
  "evidence_bundle": null,
  "historical_status": null,
  "latest_status": null,
  "browser_evidence": {
    "required": false,
    "present": false,
    "refs": []
  },
  "repro_profile_id": "xss-generic",
  "artifact_mode": "synthetic",
  "blocked_reason": null,
  "metadata": {
    "source_names": [
      "OSV Fastify"
    ],
    "source_kinds": [
      "osv-batch"
    ],
    "candidate_count": 1
  }
}