Main Vulnerability Database SB20260414104

SB20260414104 - Incorrect Regular Expression in Fastify

Published: April 14, 2026

Security Bulletin ID SB20260414104

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Incorrect Regular Expression (CVE-ID: CVE-2026-3419)

The vulnerability allows a remote attacker to bypass content-type validation and submit malformed requests that are processed by the server.

The vulnerability exists due to incorrect regular expression in subtypeNameReg when validating Content-Type headers containing trailing characters after the subtype token. A remote attacker can send a specially crafted request with a malformed Content-Type header to bypass content-type validation and submit malformed requests that are processed by the server.

When regex-based content-type parsers are in use, the malformed header value may be matched against registered parsers using the full string including the trailing garbage.

Remediation

Install update from vendor's website.

References

https://github.com/fastify/fastify/security/advisories/GHSA-573f-x89g-hqp9