Fastify patches Content-Type whitespace schema validation bypass

TL;DR — Fastify’s per-content-type body validation can be skipped by sending a Content-Type header with a leading space, letting requests reach handlers without expected schema enforcement.

What happened

Fastify is a high-performance Node.js web framework commonly used for API backends where request schema validation is part of the application’s security and data-integrity posture.

CVE-2026-33806 describes a body schema validation bypass affecting Fastify apps that use schema.body.content for per-content-type validation: prepending a space to the Content-Type header causes schema validation to be skipped, even though the request body is still parsed correctly. The CVE notes this behavior is a regression introduced in fastify >= 5.3.2 as part of the fix for CVE-2025-32442.

Why this matters: header parsing/canonicalization edge cases routinely turn into “silent security control drop” failures (validation, auth, routing). If you rely on schema validation to enforce invariants before business logic (including downstream SQL/ORM assumptions), this is a high-leverage bypass primitive. (raw.githubusercontent.com)

Who is impacted

• Applications using fastify and relying on schema.body.content for per-content-type body validation.
• fastify versions >= 5.3.2 and < 5.8.5 (per the CVE affected version range). (raw.githubusercontent.com)

What to do now

• Follow vendor remediation guidance and apply a release that includes the fix.

  "Upgrade to fastify v5.8.5 or later." (raw.githubusercontent.com)

• Treat this as a validation control failure: inventory services using schema.body.content, and add regression tests for Content-Type normalization/whitespace handling in your edge stack (LB/WAF/proxies) and in application-level request handling.
• If you cannot patch immediately, note the CVE’s workaround guidance:

  "None. Upgrade to the patched version." (raw.githubusercontent.com)