chore(deps): update dependency fastify to v5.7.3 [security]

[renovate-sh-app]

This PR contains the following updates:

Package	Change	Age	Confidence
fastify (source)	5.6.2 → 5.7.3

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2026-25223

Impact

A validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type.

For example, a request with Content-Type: application/json\ta will bypass JSON schema validation but still be parsed as JSON.

This vulnerability affects all Fastify users who rely on Content-Type-based body validation schemas to enforce data integrity or security constraints. The concrete impact depends on the handler implementation and the level of trust placed in the validated request body, but at the library level, this allows complete bypass of body validation for any handler using Content-Type-discriminated schemas.

This issue is a regression or missed edge case from the fix for a previously reported vulnerability.

Patches

This vulnerability has been patched in Fastify v5.7.2. All users should upgrade to this version or later immediately.

Workarounds

If upgrading is not immediately possible, user can implement a custom onRequest hook to reject requests containing tab characters in the Content-Type header:

fastify.addHook('onRequest', async (request, reply) => {
  const contentType = request.headers['content-type']
  if (contentType && contentType.includes('\t')) {
    reply.code(400).send({ error: 'Invalid Content-Type header' })
  }
})

Resources

• https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/validation.js#L272
• https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/content-type-parser.js#L125
• Fastify Validation and Serialization Documentation
• https://hackerone.com/reports/3464114

---

Fastify's Content-Type header tab character allows body validation bypass

CVE-2026-25223 / GHSA-jx2c-rxcm-jvmq

More information

Details

Impact

A validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type.

For example, a request with Content-Type: application/json\ta will bypass JSON schema validation but still be parsed as JSON.

This vulnerability affects all Fastify users who rely on Content-Type-based body validation schemas to enforce data integrity or security constraints. The concrete impact depends on the handler implementation and the level of trust placed in the validated request body, but at the library level, this allows complete bypass of body validation for any handler using Content-Type-discriminated schemas.

This issue is a regression or missed edge case from the fix for a previously reported vulnerability.

Patches

This vulnerability has been patched in Fastify v5.7.2. All users should upgrade to this version or later immediately.

Workarounds

If upgrading is not immediately possible, user can implement a custom onRequest hook to reject requests containing tab characters in the Content-Type header:

fastify.addHook('onRequest', async (request, reply) => {
  const contentType = request.headers['content-type']
  if (contentType && contentType.includes('\t')) {
    reply.code(400).send({ error: 'Invalid Content-Type header' })
  }
})

Resources

• https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/validation.js#L272
• https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/content-type-parser.js#L125
• Fastify Validation and Serialization Documentation
• https://hackerone.com/reports/3464114

Severity

• CVSS Score: Unknown
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

• https://github.com/fastify/fastify/security/advisories/GHSA-jx2c-rxcm-jvmq
• https://nvd.nist.gov/vuln/detail/CVE-2026-25223
• https://github.com/fastify/fastify/commit/32d7b6add39ddf082d92579a58bea7018c5ac821
• https://hackerone.com/reports/3464114
• https://fastify.dev/docs/latest/Reference/Validation-and-Serialization
• https://github.com/fastify/fastify
• https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/content-type-parser.js#L125
• https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/validation.js#L272

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Fastify Vulnerable to DoS via Unbounded Memory Allocation in sendWebStream

CVE-2026-25224 / GHSA-mrq3-vjjr-p77c

More information

Details

Impact

A Denial of Service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation.

Patches

The issue is fixed in Fastify 5.7.3. Users should upgrade to 5.7.3 or later.

Workarounds

Avoid sending Web Streams from Fastify responses (e.g., ReadableStream or Response bodies). Use Node.js streams (stream.Readable) or buffered payloads instead until the project can upgrade.

References

• https://hackerone.com/reports/3524779

Severity

• CVSS Score: Unknown
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

References

• https://github.com/fastify/fastify/security/advisories/GHSA-mrq3-vjjr-p77c
• https://nvd.nist.gov/vuln/detail/CVE-2026-25224
• https://github.com/fastify/fastify/commit/eb11156396f6a5fedaceed0140aed2b7f026be37
• https://hackerone.com/reports/3524779
• https://github.com/fastify/fastify

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

fastify/fastify (fastify)

v5.7.3

Compare Source

⚠️ Security Release

• Fix GHSA-mrq3-vjjr-p77c CVE-2026-25224.

What's Changed

• docs: update Reply.send() documentation for string serialization by @​mcollina in #​6466
• chore: ignore agents config files by @​mcollina in #​6474
• docs: update vulnerability reporting to use GitHub Security by @​mcollina in #​6475

Full Changelog: fastify/fastify@v5.7.2...v5.7.3

v5.7.2

Compare Source

⚠️ Notice ⚠️

Parsing of the content-type header has been improved to a strict parser in PR #​6414. This means only header values in the form described in RFC 9110 are accepted.

What's Changed

• chore: npm ignore AI related files by @​climba03003 in #​6447
• chore: update sponsor url by @​Eomm in #​6450
• docs: add fastify-http-exceptions to Ecosystem.md by @​bhouston in #​6442
• docs: fix invalid shorten form schema example by @​climba03003 in #​6448
• docs: Simplify and tighten decorators example by @​smith558 in #​6451
• docs: Fix incorrect variable use by @​smith558 in #​6455
• chore: update sponsor link by @​Eomm in #​6460
• fix: Fix MIT Licence file to conform to standard by @​smith558 in #​6464
• docs: move querystringParser option under routerOptions by @​inyourtime in #​6463
• chore: Updated content-type header parsing by @​jsumners in #​6414

New Contributors

• @​bhouston made their first contribution in #​6442

Full Changelog: fastify/fastify@v5.7.1...v5.7.2

v5.7.1

Compare Source

What's Changed

• chore: Bump actions/checkout from 5 to 6 by @​dependabot[bot] in #​6434
• chore: updated version in the fastify.js by @​Tony133 in #​6446

Full Changelog: fastify/fastify@v5.7.0...v5.7.1

v5.7.0

Compare Source

What's Changed

• docs: Improved firebase serverless guide about process remaining stuck by @​alexandercerutti in #​6380
• docs: update migration guide with date-time breaking change by @​craftsman01 in #​6110
• chore: remove test file by @​Eomm in #​6384
• feat: speed up loading with custom compiler by @​Eomm in #​6383
• docs: replace all instances of twitter.com with x.com by @​cseas in #​6355
• docs: correct logger option in example by @​inyourtime in #​6391
• docs: fix links by @​Shriti507 in #​6394
• chore: skip unnecessary object creation by @​Eomm in #​6400
• docs: Update JSON Schema link in documentation by @​jon23d in #​6402
• docs(ecosystem): add fastify-ses-mailer by @​KaranHotwani in #​6395
• docs: add security note about validation errors in response by @​mcollina in #​6407
• docs: add security threat model by @​mcollina in #​6406
• chore: update onboarding and offboarding instructions by @​Eomm in #​6403
• fix: set status code before publishing diagnostics error channel by @​tt-a1i in #​6412
• fix: use JSON.stringify in onBadUrl for proper escaping by @​mcollina in #​6420
• chore: fix type test by @​mrazauskas in #​6418
• docs: improve Validation-and-Serialization.md by @​twentytwo777 in #​6423
• test: skip IPv6 test if its support is not present by @​LiviaMedeiros in #​6428
• test: fix test when localhost has multiple addresses by @​LiviaMedeiros in #​6427
• docs: add security warning for requestIdHeader by @​mcollina in #​6425
• docs(ecosystem): add elements-fastify by @​rohitsoni007 in #​6416
• chore: Bump actions/dependency-review-action from 4.8.1 to 4.8.2 by @​dependabot[bot] in #​6433
• chore: Bump markdownlint-cli2 from 0.18.1 to 0.20.0 by @​dependabot[bot] in #​6436
• chore: Bump @​types/node from 24.10.4 to 25.0.3 in the dev-dependencies-typescript group by @​dependabot[bot] in #​6435
• fix(ts): Align routerOptions defaultRoute types with runtime by @​AnkanMisra in #​6392
• fix(types): require send() payload when Reply type is specified by @​tt-a1i in #​6432
• fix: ajv options type validation by @​gianmarco27 in #​6437
• docs: add non-vulnerability examples to threat model by @​RafaelGSS in #​6431
• feat: implement conditional request logging by @​kibertoad in #​5732
• docs(sponsor): add serpapi by @​Eomm in #​6443
• perf: use native WebStream API instead of Readable.fromWeb wrapper by @​mcollina in #​6444

New Contributors

• @​craftsman01 made their first contribution in #​6110
• @​cseas made their first contribution in #​6355
• @​Shriti507 made their first contribution in #​6394
• @​jon23d made their first contribution in #​6402
• @​KaranHotwani made their first contribution in #​6395
• @​tt-a1i made their first contribution in #​6412
• @​mrazauskas made their first contribution in #​6418
• @​twentytwo777 made their first contribution in #​6423
• @​rohitsoni007 made their first contribution in #​6416
• @​AnkanMisra made their first contribution in #​6392
• @​gianmarco27 made their first contribution in #​6437

Full Changelog: fastify/fastify@v5.6.2...v5.7.0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled because a matching PR was automerged previously.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

Need help?

You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.

[jake-kramer]

Fixed by #229