Known CVE vulnerabilities and GitHub Security Advisories affecting the npm package fastify, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (10)
CVE-2018-3711 — CVSS 7.5 (high): Fastify node module before 0.38.0 is vulnerable to a denial-of-service attack by sending a request with "Content-Type: application/json"…
CVE-2022-39288 — CVSS 7.5 (high): fastify is a fast and low overhead web framework, for Node.js. Affected versions of fastify are subject to a denial of service via…
CVE-2025-32442 — CVSS 7.5 (high): Fastify is a fast and low overhead web framework, for Node.js. In versions 5.0.0 to 5.3.0 as well as version 4.29.0, applications that…
CVE-2026-25223 — CVSS 7.5 (high): Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify…
CVE-2026-33806 — CVSS 7.5 (high): Impact: Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by…
CVE-2020-8192 — CVSS 6.5 (medium): A denial of service vulnerability exists in Fastify v2.14.1 and v3.0.0-rc.4 that allows a malicious user to trigger resource exhaustion…
CVE-2026-3635 — CVSS 6.1 (medium): Summary When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop…
CVE-2026-3419 — CVSS 5.3 (medium): Fastify incorrectly accepts malformed `Content-Type` headers containing trailing characters after the subtype token, in violation of RFC…
CVE-2022-41919 — CVSS 4.2 (medium): Fastify is a web framework with minimal overhead and plugin architecture. The attacker can use the incorrect `Content-Type` to bypass the…
CVE-2026-25224 — CVSS 3.7 (low): Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify’s Web…