CVE-2026-3419

CVE-2026-3419 is a medium-severity vulnerability in Fastify with a CVSS 3.x base score of 5.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-185.

Key facts

Description

Fastify incorrectly accepts malformed `Content-Type` headers containing trailing characters after the subtype token, in violation of RFC 9110 §8.3.1(https://httpwg.org/specs/rfc9110.html#field.content-type). For example, a request sent with Content-Type: application/json garbage passes validation and is processed normally, rather than being rejected with 415 Unsupported Media Type. When regex-based content-type parsers are in use (a documented Fastify feature), the malformed value is matched against registered parsers using the full string including the trailing garbage. This means a request with an invalid content-type may be routed to and processed by a parser it should never have reached. Impact: An attacker can send requests with RFC-invalid Content-Type headers that bypass validity checks, reach content-type parser matching, and be processed by the server. Requests that should be rejected at the validation stage are instead handled as if the content-type were valid. Workarounds: Deploy a WAF rule to protect against this Fix: The fix is available starting with v5.8.1.

Frequently asked questions

What is CVE-2026-3419?
Fastify incorrectly accepts malformed `Content-Type` headers containing trailing characters after the subtype token, in violation of RFC 9110 §8.3.1(https://httpwg.org/specs/rfc9110.html#field.content-type). For example, a request sent with Content-Type: application/json garbage passes validation and is processed normally, rather than being rejected with 415 Unsupported Media Type. When regex-based content-type parsers are in use (a documented Fastify feature), the malformed value is matched against registered parsers using the full string including the trailing garbage. This means a request with an invalid content-type may be routed to and processed by a parser it should never have reached. Impact: An attacker can send requests with RFC-invalid Content-Type headers that bypass validity checks, reach content-type parser matching, and be processed by the server. Requests that should be rejected at the validation stage are instead handled as if the content-type were valid. Workarounds: Deploy a WAF rule to protect against this Fix: The fix is available starting with v5.8.1.
How severe is CVE-2026-3419?
CVE-2026-3419 has a CVSS 3.x base score of 5.3, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity low, and availability none.
Is CVE-2026-3419 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (27th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2026-3419?
CVE-2026-3419 affects Fastify. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2026-3419?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2026-3419 have an EU (EUVD) identifier?
Yes. CVE-2026-3419 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-10056.
When was CVE-2026-3419 published?
CVE-2026-3419 was published on 2026-03-06 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Fastify

All CVEs affecting Fastify →

Other CWE-185 vulnerabilities

Browse all CWE-185 vulnerabilities →