Publish GHSA-mg2h-6x62-wpwc

Author: advisory-database[bot]

advisories/github-reviewed/2025/04/GHSA-mg2h-6x62-wpwc/GHSA-mg2h-6x62-wpwc.json

@@ -1,12 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-mg2h-6x62-wpwc",
-  "modified": "2025-04-18T15:02:41Z",
+  "modified": "2025-04-18T15:58:43Z",
   "published": "2025-04-18T15:02:41Z",
   "aliases": [
     "CVE-2025-32442"
   ],
-  "summary": "Fasify vulnerable to invalid content-type parsing, which could lead to validation bypass",
+  "summary": "Fastify vulnerable to invalid content-type parsing, which could lead to validation bypass",
   "details": "### Impact\n\nIn applications that specify different validation strategies for different content types, it's possible to bypass the validation by providing a _slightly altered_ content type such as with different casing or altered whitespacing before `;`.\n\nUsers using the the following pattern are affected:\n\n```js\nfastify.post('/', {\n  handler(request, reply) {\n    reply.code(200).send(request.body)\n  },\n  schema: {\n    body: {\n      content: {\n        'application/json': {\n          schema: {\n            type: 'object',\n            properties: {\n              'foo': {\n                type: 'string',\n              }\n            },\n            required: ['foo']\n          }\n        },\n      }\n    }\n  }\n})\n```\n\nUser using the following pattern are **not** affected:\n\n```js\nfastify.post('/', {\n  handler(request, reply) {\n    reply.code(200).send(request.body)\n  },\n  schema: {\n    body: {\n      type: 'object',\n      properties: {\n        'foo': {\n          type: 'string',\n        }\n      },\n      required: ['foo']\n    }\n  }\n})\n```\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\n### Workarounds\n\nDo not specify individual content types in the schema.\n\n### References\n_Are there any links users can visit to find out more?_\n\nhttps://hackerone.com/reports/3087928",
   "severity": [
     {