Fastify — CVE history (npm)

Fastify

10 CVEs affect the Fastify npm package (highest CVSS 7.5). Latest disclosed: 2026-04-15. Full CVE history sourced from NVD.

Summary

Package
Fastify (npm)
Total CVEs
10
Actively exploited (CISA KEV)
0
Highest CVSS
7.5
Latest disclosed
2026-04-15

Recent CVEs (top 10)

CVESeverityCVSSKEVPublishedSummary
CVE-2026-33806High7.52026-04-15Impact: Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header.
CVE-2026-3635Medium6.12026-03-23Summary When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto an…
CVE-2026-3419Medium5.32026-03-06Fastify incorrectly accepts malformed `Content-Type` headers containing trailing characters after the subtype token, in violation of RFC 9110 §8.3.1(https://httpwg.org/specs/rfc9110.html#field.content-type).
CVE-2026-25224Low3.72026-02-03Fastify is a fast and low overhead web framework, for Node.js.
CVE-2026-25223High7.52026-02-03Fastify is a fast and low overhead web framework, for Node.js.
CVE-2025-32442High7.52025-04-18Fastify is a fast and low overhead web framework, for Node.js.
CVE-2022-41919Medium4.22022-11-22Fastify is a web framework with minimal overhead and plugin architecture.
CVE-2022-39288High7.52022-10-10fastify is a fast and low overhead web framework, for Node.js.
CVE-2020-8192Medium6.52020-07-30A denial of service vulnerability exists in Fastify v2.14.1 and v3.0.0-rc.4 that allows a malicious user to trigger resource exhaustion (when the allErrors option is used) with specially crafted schemas.
CVE-2018-3711High7.52018-06-07Fastify node module before 0.38.0 is vulnerable to a denial-of-service attack by sending a request with "Content-Type: application/json" and a very large payload.

All-time worst (top 10 by CVSS)

CVESeverityCVSSKEVPublishedSummary
CVE-2026-33806High7.52026-04-15Impact: Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header.
CVE-2026-25223High7.52026-02-03Fastify is a fast and low overhead web framework, for Node.js.
CVE-2025-32442High7.52025-04-18Fastify is a fast and low overhead web framework, for Node.js.
CVE-2022-39288High7.52022-10-10fastify is a fast and low overhead web framework, for Node.js.
CVE-2018-3711High7.52018-06-07Fastify node module before 0.38.0 is vulnerable to a denial-of-service attack by sending a request with "Content-Type: application/json" and a very large payload.
CVE-2020-8192Medium6.52020-07-30A denial of service vulnerability exists in Fastify v2.14.1 and v3.0.0-rc.4 that allows a malicious user to trigger resource exhaustion (when the allErrors option is used) with specially crafted schemas.
CVE-2026-3635Medium6.12026-03-23Summary When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto an…
CVE-2026-3419Medium5.32026-03-06Fastify incorrectly accepts malformed `Content-Type` headers containing trailing characters after the subtype token, in violation of RFC 9110 §8.3.1(https://httpwg.org/specs/rfc9110.html#field.content-type).
CVE-2022-41919Medium4.22022-11-22Fastify is a web framework with minimal overhead and plugin architecture.
CVE-2026-25224Low3.72026-02-03Fastify is a fast and low overhead web framework, for Node.js.