Fastify Content-Type Header Validation Bypass Vulnerability

A validation bypass vulnerability has been identified in Fastify, a web framework for Node.js, in versions prior to 5.7.2. This vulnerability allows attackers to circumvent request body validation schemas that are based on Content-Type headers. By adding a tab character followed by arbitrary content to the Content-Type header, the body validation can be bypassed, while the server continues to process the body as if it were the original content type. For instance, a request with 'Content-Type: application/json\ta' would bypass JSON validation but still be treated as JSON. This issue arises from a regression related to a previously reported vulnerability.

Impact

Exploiting this vulnerability allows for complete bypass of body validation in Fastify, which could lead to improper handling of request data and potential security issues, depending on how the validated data is used in the application.

Reproduction

To reproduce this vulnerability, send a POST request to a Fastify server with a Content-Type header that includes a tab character followed by additional content, such as 'application/json\ta'. Include a JSON payload that violates the expected schema. The server will process the request as valid JSON, despite the schema violation.

Remediation

Users are advised to upgrade to Fastify version 5.7.2 or later. If an immediate upgrade is not possible, a custom 'onRequest' hook can be implemented to reject requests with tab characters in the Content-Type header.