Fastify — CVE history (npm)
Fastify
10 CVEs affect the Fastify npm package (highest CVSS 7.5). Latest disclosed: 2026-04-15. Full CVE history sourced from NVD.
Summary
- Package
Fastify(npm)- Total CVEs
10- Actively exploited (CISA KEV)
- 0
- Highest CVSS
7.5- Latest disclosed
- 2026-04-15
Recent CVEs (top 10)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-33806 | High | 7.5 | — | 2026-04-15 | Impact: Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. |
CVE-2026-3635 | Medium | 6.1 | — | 2026-03-23 | Summary When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto an… |
CVE-2026-3419 | Medium | 5.3 | — | 2026-03-06 | Fastify incorrectly accepts malformed `Content-Type` headers containing trailing characters after the subtype token, in violation of RFC 9110 §8.3.1(https://httpwg.org/specs/rfc9110.html#field.content-type). |
CVE-2026-25224 | Low | 3.7 | — | 2026-02-03 | Fastify is a fast and low overhead web framework, for Node.js. |
CVE-2026-25223 | High | 7.5 | — | 2026-02-03 | Fastify is a fast and low overhead web framework, for Node.js. |
CVE-2025-32442 | High | 7.5 | — | 2025-04-18 | Fastify is a fast and low overhead web framework, for Node.js. |
CVE-2022-41919 | Medium | 4.2 | — | 2022-11-22 | Fastify is a web framework with minimal overhead and plugin architecture. |
CVE-2022-39288 | High | 7.5 | — | 2022-10-10 | fastify is a fast and low overhead web framework, for Node.js. |
CVE-2020-8192 | Medium | 6.5 | — | 2020-07-30 | A denial of service vulnerability exists in Fastify v2.14.1 and v3.0.0-rc.4 that allows a malicious user to trigger resource exhaustion (when the allErrors option is used) with specially crafted schemas. |
CVE-2018-3711 | High | 7.5 | — | 2018-06-07 | Fastify node module before 0.38.0 is vulnerable to a denial-of-service attack by sending a request with "Content-Type: application/json" and a very large payload. |
All-time worst (top 10 by CVSS)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-33806 | High | 7.5 | — | 2026-04-15 | Impact: Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. |
CVE-2026-25223 | High | 7.5 | — | 2026-02-03 | Fastify is a fast and low overhead web framework, for Node.js. |
CVE-2025-32442 | High | 7.5 | — | 2025-04-18 | Fastify is a fast and low overhead web framework, for Node.js. |
CVE-2022-39288 | High | 7.5 | — | 2022-10-10 | fastify is a fast and low overhead web framework, for Node.js. |
CVE-2018-3711 | High | 7.5 | — | 2018-06-07 | Fastify node module before 0.38.0 is vulnerable to a denial-of-service attack by sending a request with "Content-Type: application/json" and a very large payload. |
CVE-2020-8192 | Medium | 6.5 | — | 2020-07-30 | A denial of service vulnerability exists in Fastify v2.14.1 and v3.0.0-rc.4 that allows a malicious user to trigger resource exhaustion (when the allErrors option is used) with specially crafted schemas. |
CVE-2026-3635 | Medium | 6.1 | — | 2026-03-23 | Summary When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto an… |
CVE-2026-3419 | Medium | 5.3 | — | 2026-03-06 | Fastify incorrectly accepts malformed `Content-Type` headers containing trailing characters after the subtype token, in violation of RFC 9110 §8.3.1(https://httpwg.org/specs/rfc9110.html#field.content-type). |
CVE-2022-41919 | Medium | 4.2 | — | 2022-11-22 | Fastify is a web framework with minimal overhead and plugin architecture. |
CVE-2026-25224 | Low | 3.7 | — | 2026-02-03 | Fastify is a fast and low overhead web framework, for Node.js. |