Fastify Content-Type Validation Bypass Vulnerability

A vulnerability in Fastify, a web framework for Node.js, allows for validation bypass in applications that use different validation strategies for various content types. This issue is present in Fastify versions 5.0.0 through 5.3.0 and in version 4.9.0. The vulnerability arises from the framework's content-type parsing, which can be manipulated by altering the casing or adding whitespace before the semicolon. As a result, requests can bypass validation and potentially lead to incorrect handling of the request body.

Impact

Exploiting this vulnerability can cause schema validation to be bypassed, allowing requests with invalid data to be accepted by the application.

Reproduction

To reproduce this vulnerability, create a Fastify application that defines a route with schema validation based on content type. Use a content type header that is slightly altered, such as changing the casing or adding spaces, to bypass the validation. For example, if the schema expects 'application/json', using 'Application/Json' or 'application/json ;' could exploit the vulnerability by bypassing the validation for the 'foo' property.

Remediation

Users can upgrade to Fastify versions 5.3.2 or 4.9.1, where this vulnerability has been fully patched. Alternatively, as a temporary workaround, avoid specifying multiple content types in the schema.