CVE-2026-3419

{"id": "CVE-2026-3419", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2026-03-06T18:16:22.213", "references": [{"url": "https://cna.openjsf.org/security-advisories.html", "source": "ce714d77-add3-4f53-aff5-83d477b104bb"}, {"url": "https://github.com/advisories/GHSA-573f-x89g-hqp9", "source": "ce714d77-add3-4f53-aff5-83d477b104bb"}, {"url": "https://github.com/fastify/fastify/commit/67f6c9b32cb3623d3c9470cc17ed830dd2f083d7", "source": "ce714d77-add3-4f53-aff5-83d477b104bb"}, {"url": "https://github.com/fastify/fastify/security/advisories/GHSA-573f-x89g-hqp9", "source": "ce714d77-add3-4f53-aff5-83d477b104bb"}, {"url": "https://httpwg.org/specs/rfc9110.html#field.content-type", "source": "ce714d77-add3-4f53-aff5-83d477b104bb"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2026-3419", "source": "ce714d77-add3-4f53-aff5-83d477b104bb"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "description": [{"lang": "en", "value": "CWE-185"}]}], "descriptions": [{"lang": "en", "value": "Fastify incorrectly accepts malformed `Content-Type` headers containing trailing characters after the subtype token, in violation of RFC 9110 \u00a78.3.1(https://httpwg.org/specs/rfc9110.html#field.content-type). For example, a request sent with Content-Type: application/json garbage passes validation and is processed normally, rather than being rejected with 415 Unsupported Media Type.\n\nWhen regex-based content-type parsers are in use (a documented Fastify feature), the malformed value is matched against registered parsers using the full string including the trailing garbage. This means a request with an invalid content-type may be routed to and processed by a parser it should never have reached.\n\nImpact:\nAn attacker can send requests with RFC-invalid Content-Type headers that bypass validity checks, reach content-type parser matching, and be processed by the server. Requests that should be rejected at the validation stage are instead handled as if the content-type were valid.\n\nWorkarounds:\nDeploy a WAF rule to protect against this\n\nFix:\n\nThe fix is available starting with v5.8.1."}], "lastModified": "2026-03-09T13:35:34.633", "sourceIdentifier": "ce714d77-add3-4f53-aff5-83d477b104bb"}