Publish GHSA-mg2h-6x62-wpwc

advisory-database[bot] · advisory-database[bot] · commit ddb8104da919 · 2025-04-18T20:39:59.000Z
diff --git a/advisories/github-reviewed/2025/04/GHSA-mg2h-6x62-wpwc/GHSA-mg2h-6x62-wpwc.json b/advisories/github-reviewed/2025/04/GHSA-mg2h-6x62-wpwc/GHSA-mg2h-6x62-wpwc.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-mg2h-6x62-wpwc",
-  "modified": "2025-04-18T18:34:35Z",
+  "modified": "2025-04-18T20:38:47Z",
   "published": "2025-04-18T15:02:41Z",
   "aliases": [
     "CVE-2025-32442"
   ],
   "summary": "Fastify vulnerable to invalid content-type parsing, which could lead to validation bypass",
-  "details": "### Impact\n\nIn applications that specify different validation strategies for different content types, it's possible to bypass the validation by providing a _slightly altered_ content type such as with different casing or altered whitespacing before `;`.\n\nUsers using the the following pattern are affected:\n\n```js\nfastify.post('/', {\n  handler(request, reply) {\n    reply.code(200).send(request.body)\n  },\n  schema: {\n    body: {\n      content: {\n        'application/json': {\n          schema: {\n            type: 'object',\n            properties: {\n              'foo': {\n                type: 'string',\n              }\n            },\n            required: ['foo']\n          }\n        },\n      }\n    }\n  }\n})\n```\n\nUser using the following pattern are **not** affected:\n\n```js\nfastify.post('/', {\n  handler(request, reply) {\n    reply.code(200).send(request.body)\n  },\n  schema: {\n    body: {\n      type: 'object',\n      properties: {\n        'foo': {\n          type: 'string',\n        }\n      },\n      required: ['foo']\n    }\n  }\n})\n```\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\n### Workarounds\n\nDo not specify individual content types in the schema.\n\n### References\n_Are there any links users can visit to find out more?_\n\nhttps://hackerone.com/reports/3087928",
+  "details": "### Impact\n\nIn applications that specify different validation strategies for different content types, it's possible to bypass the validation by providing a _slightly altered_ content type such as with different casing or altered whitespacing before `;`.\n\nUsers using the the following pattern are affected:\n\n```js\nfastify.post('/', {\n  handler(request, reply) {\n    reply.code(200).send(request.body)\n  },\n  schema: {\n    body: {\n      content: {\n        'application/json': {\n          schema: {\n            type: 'object',\n            properties: {\n              'foo': {\n                type: 'string',\n              }\n            },\n            required: ['foo']\n          }\n        },\n      }\n    }\n  }\n})\n```\n\nUser using the following pattern are **not** affected:\n\n```js\nfastify.post('/', {\n  handler(request, reply) {\n    reply.code(200).send(request.body)\n  },\n  schema: {\n    body: {\n      type: 'object',\n      properties: {\n        'foo': {\n          type: 'string',\n        }\n      },\n      required: ['foo']\n    }\n  }\n})\n```\n\n### Patches\n\nThis was patched in v5.3.1, but unfortunately it did not cover all problems. This has been fully patched in v5.3.2.\n\n### Workarounds\n\nDo not specify multiple content types in the schema.\n\n### References\n_Are there any links users can visit to find out more?_\n\nhttps://hackerone.com/reports/3087928",
   "severity": [
     {
       "type": "CVSS_V3",
@@ -28,13 +28,13 @@
               "introduced": "5.0.0"
             },
             {
-              "fixed": "5.3.1"
+              "fixed": "5.3.2"
             }
           ]
         }
       ],
       "database_specific": {
-        "last_known_affected_version_range": "<= 5.3.0"
+        "last_known_affected_version_range": "<= 5.3.1"
       }
     }
   ],
@@ -51,6 +51,10 @@
       "type": "WEB",
       "url": "https://github.com/fastify/fastify/commit/436da4c06dfbbb8c24adee3a64de0c51e4f47418"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/fastify/fastify/commit/f3d2bcb3963cd570a582e5d39aab01a9ae692fe4"
+    },
     {
       "type": "WEB",
       "url": "https://hackerone.com/reports/3087928"

Original file line number	Diff line number	Diff line change
`@@ -1,13 +1,13 @@`
`1`	`1`	`{`
`2`	`2`	`"schema_version": "1.4.0",`
`3`	`3`	`"id": "GHSA-mg2h-6x62-wpwc",`
`4`		`- "modified": "2025-04-18T18:34:35Z",`
	`4`	`+ "modified": "2025-04-18T20:38:47Z",`
`5`	`5`	`"published": "2025-04-18T15:02:41Z",`
`6`	`6`	`"aliases": [`
`7`	`7`	`"CVE-2025-32442"`
`8`	`8`	`],`
`9`	`9`	`"summary": "Fastify vulnerable to invalid content-type parsing, which could lead to validation bypass",`
`10`		- "details": "### Impact\n\nIn applications that specify different validation strategies for different content types, it's possible to bypass the validation by providing a _slightly altered_ content type such as with different casing or altered whitespacing before `;`.\n\nUsers using the the following pattern are affected:\n\n```js\nfastify.post('/', {\n handler(request, reply) {\n reply.code(200).send(request.body)\n },\n schema: {\n body: {\n content: {\n 'application/json': {\n schema: {\n type: 'object',\n properties: {\n 'foo': {\n type: 'string',\n }\n },\n required: ['foo']\n }\n },\n }\n }\n }\n})\n```\n\nUser using the following pattern are not affected:\n\n```js\nfastify.post('/', {\n handler(request, reply) {\n reply.code(200).send(request.body)\n },\n schema: {\n body: {\n type: 'object',\n properties: {\n 'foo': {\n type: 'string',\n }\n },\n required: ['foo']\n }\n }\n})\n```\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\n### Workarounds\n\nDo not specify individual content types in the schema.\n\n### References\n_Are there any links users can visit to find out more?_\n\nhttps://hackerone.com/reports/3087928",
	`10`	+ "details": "### Impact\n\nIn applications that specify different validation strategies for different content types, it's possible to bypass the validation by providing a _slightly altered_ content type such as with different casing or altered whitespacing before `;`.\n\nUsers using the the following pattern are affected:\n\n```js\nfastify.post('/', {\n handler(request, reply) {\n reply.code(200).send(request.body)\n },\n schema: {\n body: {\n content: {\n 'application/json': {\n schema: {\n type: 'object',\n properties: {\n 'foo': {\n type: 'string',\n }\n },\n required: ['foo']\n }\n },\n }\n }\n }\n})\n```\n\nUser using the following pattern are not affected:\n\n```js\nfastify.post('/', {\n handler(request, reply) {\n reply.code(200).send(request.body)\n },\n schema: {\n body: {\n type: 'object',\n properties: {\n 'foo': {\n type: 'string',\n }\n },\n required: ['foo']\n }\n }\n})\n```\n\n### Patches\n\nThis was patched in v5.3.1, but unfortunately it did not cover all problems. This has been fully patched in v5.3.2.\n\n### Workarounds\n\nDo not specify multiple content types in the schema.\n\n### References\n_Are there any links users can visit to find out more?_\n\nhttps://hackerone.com/reports/3087928",
`11`	`11`	`"severity": [`
`12`	`12`	`{`
`13`	`13`	`"type": "CVSS_V3",`
`@@ -28,13 +28,13 @@`
`28`	`28`	`"introduced": "5.0.0"`
`29`	`29`	`},`
`30`	`30`	`{`
`31`		`- "fixed": "5.3.1"`
	`31`	`+ "fixed": "5.3.2"`
`32`	`32`	`}`
`33`	`33`	`]`
`34`	`34`	`}`
`35`	`35`	`],`
`36`	`36`	`"database_specific": {`
`37`		`- "last_known_affected_version_range": "<= 5.3.0"`
	`37`	`+ "last_known_affected_version_range": "<= 5.3.1"`
`38`	`38`	`}`
`39`	`39`	`}`
`40`	`40`	`],`
`@@ -51,6 +51,10 @@`
`51`	`51`	`"type": "WEB",`
`52`	`52`	`"url": "https://github.com/fastify/fastify/commit/436da4c06dfbbb8c24adee3a64de0c51e4f47418"`
`53`	`53`	`},`
	`54`	`+ {`
	`55`	`+ "type": "WEB",`
	`56`	`+ "url": "https://github.com/fastify/fastify/commit/f3d2bcb3963cd570a582e5d39aab01a9ae692fe4"`
	`57`	`+ },`
`54`	`58`	`{`
`55`	`59`	`"type": "WEB",`
`56`	`60`	`"url": "https://hackerone.com/reports/3087928"`