Update dependency fastify to v5.8.1 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
fastify (source)	5.6.2 → 5.8.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2026-25224

Impact

A Denial of Service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation.

Patches

The issue is fixed in Fastify 5.7.3. Users should upgrade to 5.7.3 or later.

Workarounds

Avoid sending Web Streams from Fastify responses (e.g., ReadableStream or Response bodies). Use Node.js streams (stream.Readable) or buffered payloads instead until the project can upgrade.

References

• https://hackerone.com/reports/3524779

CVE-2026-25223

Impact

A validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type.

For example, a request with Content-Type: application/json\ta will bypass JSON schema validation but still be parsed as JSON.

This vulnerability affects all Fastify users who rely on Content-Type-based body validation schemas to enforce data integrity or security constraints. The concrete impact depends on the handler implementation and the level of trust placed in the validated request body, but at the library level, this allows complete bypass of body validation for any handler using Content-Type-discriminated schemas.

This issue is a regression or missed edge case from the fix for a previously reported vulnerability.

Patches

This vulnerability has been patched in Fastify v5.7.2. All users should upgrade to this version or later immediately.

Workarounds

If upgrading is not immediately possible, user can implement a custom onRequest hook to reject requests containing tab characters in the Content-Type header:

fastify.addHook('onRequest', async (request, reply) => {
  const contentType = request.headers['content-type']
  if (contentType && contentType.includes('\t')) {
    reply.code(400).send({ error: 'Invalid Content-Type header' })
  }
})

Resources

• https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/validation.js#L272
• https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/content-type-parser.js#L125
• Fastify Validation and Serialization Documentation
• https://hackerone.com/reports/3464114

CVE-2026-3419

Description

Fastify incorrectly accepts malformed Content-Type headers containing trailing characters after the subtype token, in violation of RFC 9110 §8.3.1. For example, a request sent with Content-Type: application/json garbage passes validation and is processed normally, rather than being rejected with 415 Unsupported Media Type.

When regex-based content-type parsers are in use (a documented Fastify feature), the malformed value is matched against registered parsers using the full string including the trailing garbage. This means a request with an invalid content-type may be routed to and processed by a parser it should never have reached.

Impact

An attacker can send requests with RFC-invalid Content-Type headers that bypass validity checks, reach content-type parser matching, and be processed by the server. Requests that should be rejected at the validation stage are instead handled as if the content-type were valid.

Workarounds

Deploy a WAF rule to protect against this

Fix

The fix is available starting with v5.8.1.

---

Release Notes

fastify/fastify (fastify)

v5.8.1

Compare Source

v5.8.0

Compare Source

v5.7.4

Compare Source

Full Changelog: fastify/fastify@v5.7.3...v5.7.4

v5.7.3

Compare Source

⚠️ Security Release

• Fix GHSA-mrq3-vjjr-p77c CVE-2026-25224.

What's Changed

• docs: update Reply.send() documentation for string serialization by @​mcollina in #​6466
• chore: ignore agents config files by @​mcollina in #​6474
• docs: update vulnerability reporting to use GitHub Security by @​mcollina in #​6475

Full Changelog: fastify/fastify@v5.7.2...v5.7.3

v5.7.2

Compare Source

⚠️ Notice ⚠️

Parsing of the content-type header has been improved to a strict parser in PR #​6414. This means only header values in the form described in RFC 9110 are accepted.

What's Changed

• chore: npm ignore AI related files by @​climba03003 in #​6447
• chore: update sponsor url by @​Eomm in #​6450
• docs: add fastify-http-exceptions to Ecosystem.md by @​bhouston in #​6442
• docs: fix invalid shorten form schema example by @​climba03003 in #​6448
• docs: Simplify and tighten decorators example by @​smith558 in #​6451
• docs: Fix incorrect variable use by @​smith558 in #​6455
• chore: update sponsor link by @​Eomm in #​6460
• fix: Fix MIT Licence file to conform to standard by @​smith558 in #​6464
• docs: move querystringParser option under routerOptions by @​inyourtime in #​6463
• chore: Updated content-type header parsing by @​jsumners in #​6414

New Contributors

• @​bhouston made their first contribution in #​6442

Full Changelog: fastify/fastify@v5.7.1...v5.7.2

v5.7.1

Compare Source

What's Changed

• chore: Bump actions/checkout from 5 to 6 by @​dependabot[bot] in #​6434
• chore: updated version in the fastify.js by @​Tony133 in #​6446

Full Changelog: fastify/fastify@v5.7.0...v5.7.1

v5.7.0

Compare Source

What's Changed

• docs: Improved firebase serverless guide about process remaining stuck by @​alexandercerutti in #​6380
• docs: update migration guide with date-time breaking change by @​craftsman01 in #​6110
• chore: remove test file by @​Eomm in #​6384
• feat: speed up loading with custom compiler by @​Eomm in #​6383
• docs: replace all instances of twitter.com with x.com by @​cseas in #​6355
• docs: correct logger option in example by @​inyourtime in #​6391
• docs: fix links by @​Shriti507 in #​6394
• chore: skip unnecessary object creation by @​Eomm in #​6400
• docs: Update JSON Schema link in documentation by @​jon23d in #​6402
• docs(ecosystem): add fastify-ses-mailer by @​KaranHotwani in #​6395
• docs: add security note about validation errors in response by @​mcollina in #​6407
• docs: add security threat model by @​mcollina in #​6406
• chore: update onboarding and offboarding instructions by @​Eomm in #​6403
• fix: set status code before publishing diagnostics error channel by @​tt-a1i in #​6412
• fix: use JSON.stringify in onBadUrl for proper escaping by @​mcollina in #​6420
• chore: fix type test by @​mrazauskas in #​6418
• docs: improve Validation-and-Serialization.md by @​twentytwo777 in #​6423
• test: skip IPv6 test if its support is not present by @​LiviaMedeiros in #​6428
• test: fix test when localhost has multiple addresses by @​LiviaMedeiros in #​6427
• docs: add security warning for requestIdHeader by @​mcollina in #​6425
• docs(ecosystem): add elements-fastify by @​rohitsoni007 in #​6416
• chore: Bump actions/dependency-review-action from 4.8.1 to 4.8.2 by @​dependabot[bot] in #​6433
• chore: Bump markdownlint-cli2 from 0.18.1 to 0.20.0 by @​dependabot[bot] in #​6436
• chore: Bump @​types/node from 24.10.4 to 25.0.3 in the dev-dependencies-typescript group by @​dependabot[bot] in #​6435
• fix(ts): Align routerOptions defaultRoute types with runtime by @​AnkanMisra in #​6392
• fix(types): require send() payload when Reply type is specified by @​tt-a1i in #​6432
• fix: ajv options type validation by @​gianmarco27 in #​6437
• docs: add non-vulnerability examples to threat model by @​RafaelGSS in #​6431
• feat: implement conditional request logging by @​kibertoad in #​5732
• docs(sponsor): add serpapi by @​Eomm in #​6443
• perf: use native WebStream API instead of Readable.fromWeb wrapper by @​mcollina in #​6444

New Contributors

• @​craftsman01 made their first contribution in #​6110
• @​cseas made their first contribution in #​6355
• @​Shriti507 made their first contribution in #​6394
• @​jon23d made their first contribution in #​6402
• @​KaranHotwani made their first contribution in #​6395
• @​tt-a1i made their first contribution in #​6412
• @​mrazauskas made their first contribution in #​6418
• @​twentytwo777 made their first contribution in #​6423
• @​rohitsoni007 made their first contribution in #​6416
• @​AnkanMisra made their first contribution in #​6392
• @​gianmarco27 made their first contribution in #​6437

Full Changelog: fastify/fastify@v5.6.2...v5.7.0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 94dae0d

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR