🚨 [security] Update fastify 5.6.1 → 5.8.4 (minor)

[depfu]

---

Welcome to Depfu 👋

This is one of the first three pull requests with dependency updates we've sent your way. We tried to start with a few easy patch-level updates. Hopefully your tests will pass and you can merge this pull request without too much risk. This should give you an idea how Depfu works in general.

After you merge your first pull request, we'll send you a few more. We'll never open more than seven PRs at the same time so you're not getting overwhelmed with updates.

Let us know if you have any questions. Thanks so much for giving Depfu a try!

---

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ fastify (5.6.1 → 5.8.4) · Repo

Security Advisories 🚨

🚨 fastify: request.protocol and request.host Spoofable via X-Forwarded-Proto/Host from Untrusted Connections

Summary

When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection — including connections from untrusted IPs. This allows an attacker connecting directly to Fastify (bypassing the proxy) to spoof both the protocol and host seen by the application.

Affected Versions

fastify <= 5.8.2

Impact

Applications using request.protocol or request.host for security decisions (HTTPS enforcement, secure cookie flags, CSRF origin checks, URL construction, host-based routing) are affected when trustProxy is configured with a restrictive trust function.

When trustProxy: true (trust everything), both host and protocol trust all forwarded headers — this is expected behavior. The vulnerability only manifests with restrictive trust configurations.

🚨 Fastify's Missing End Anchor in "subtypeNameReg" Allows Malformed Content-Types to Pass Validation

Description

Fastify incorrectly accepts malformed Content-Type headers containing trailing characters after the subtype token, in violation of RFC 9110 §8.3.1. For example, a request sent with Content-Type: application/json garbage passes validation and is processed normally, rather than being rejected with 415 Unsupported Media Type.

When regex-based content-type parsers are in use (a documented Fastify feature), the malformed value is matched against registered parsers using the full string including the trailing garbage. This means a request with an invalid content-type may be routed to and processed by a parser it should never have reached.

Impact

An attacker can send requests with RFC-invalid Content-Type headers that bypass validity checks, reach content-type parser matching, and be processed by the server. Requests that should be rejected at the validation stage are instead handled as if the content-type were valid.

Workarounds

Deploy a WAF rule to protect against this

Fix

The fix is available starting with v5.8.1.

🚨 Fastify's Content-Type header tab character allows body validation bypass

Impact

A validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type.

For example, a request with Content-Type: application/json\ta will bypass JSON schema validation but still be parsed as JSON.

This vulnerability affects all Fastify users who rely on Content-Type-based body validation schemas to enforce data integrity or security constraints. The concrete impact depends on the handler implementation and the level of trust placed in the validated request body, but at the library level, this allows complete bypass of body validation for any handler using Content-Type-discriminated schemas.

This issue is a regression or missed edge case from the fix for a previously reported vulnerability.

Patches

This vulnerability has been patched in Fastify v5.7.2. All users should upgrade to this version or later immediately.

Workarounds

If upgrading is not immediately possible, user can implement a custom onRequest hook to reject requests containing tab characters in the Content-Type header:

fastify.addHook('onRequest', async (request, reply) => {
  const contentType = request.headers['content-type']
  if (contentType && contentType.includes('\t')) {
    reply.code(400).send({ error: 'Invalid Content-Type header' })
  }
})

Resources

• fastify/lib/validation.js

  Line 272 in 759e978

      <tbody>
  

  return header.split(/[ ;]/, 1)[0].trim().toLowerCase()

• fastify/lib/content-type-parser.js

  Line 125 in 759e978

      <tbody>
  

  caseInsensitiveContentType.charCodeAt(parserListItem.length) === 9 /* `\t` */

• Fastify Validation and Serialization Documentation
• https://hackerone.com/reports/3464114

🚨 Fastify Vulnerable to DoS via Unbounded Memory Allocation in sendWebStream

Impact

A Denial of Service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation.

Patches

The issue is fixed in Fastify 5.7.3. Users should upgrade to 5.7.3 or later.

Workarounds

Avoid sending Web Streams from Fastify responses (e.g., ReadableStream or Response bodies). Use Node.js streams (stream.Readable) or buffered payloads instead until the project can upgrade.

References

• https://hackerone.com/reports/3524779

Release Notes

5.8.4

Full Changelog: v5.8.3...v5.8.4

5.8.3

⚠️ Security Release

This fixes CVE CVE-2026-3635 GHSA-444r-cwp2-x5xf.

What's Changed

• docs(readme): add @Tony133 to plugin team by @Tony133 in #6565
• Updated Plugins-Guide.md; Changed "fastify" to "instance" during plugin registration to showcase that it's added as a child by @kyrylchenko in #6566
• test: use fastify.test in test case by @climba03003 in #6568
• docs: use fastify.example in documentation by @climba03003 in #6567
• docs: add common performance degradation guidance by @maxpetrusenko in #6520
• docs(server): fix camelCase anchor links in TOC by @Deepvamja in #6530
• ci(link-checker): fix root-relative links resolution by @barba-rossa in #6535
• docs: update syntax markdown, absolute paths and links by @Tony133 in #6569
• docs: clarify content-type parser/schema mismatch is outside threat model by @mcollina in #6537
• docs: fix incorrect code examples in Reply and Request reference by @mahmoodhamdi in #6582
• docs: replace redirected npm.im http-errors link by @mcollina in #6588
• types: Allow port to be null in request type definition by @TristanBarlow in #6589
• docs: update links by @Tony133 in #6593
• ci(lock-threads): use shared lock-threads workflow by @Fdawgs in #6592

New Contributors

• @kyrylchenko made their first contribution in #6566
• @maxpetrusenko made their first contribution in #6520
• @Deepvamja made their first contribution in #6530
• @barba-rossa made their first contribution in #6535
• @mahmoodhamdi made their first contribution in #6582
• @TristanBarlow made their first contribution in #6589

Full Changelog: v5.8.2...v5.8.3

5.8.2

What's Changed

• docs(ecosystem): add @yeliex/fastify-problem-details by @yeliex in #6546
• Revert "chore: upgrade borp to v1.0.0" by @climba03003 in #6564
• docs: document body validation with custom content type parsers by @mcollina in #6556
• docs(ecosystem): add fastify-file-router by @bhouston in #6441
• docs: add fastify-svelte-view to Ecosystem list by @matths in #6453
• fix: anchor keyValuePairsReg to prevent quadratic backtracking by @mcollina in #6558
• docs: added note on handling of invalid URLs in setNotFoundHandler by @leftieFriele in #5661
• docs(guides): update codemod links by @OluchiEzeifedikwa in #6479
• docs: add @glidemq/fastify to community plugins by @avifenesh in #6560

New Contributors

• @yeliex made their first contribution in #6546
• @matths made their first contribution in #6453
• @leftieFriele made their first contribution in #5661
• @OluchiEzeifedikwa made their first contribution in #6479
• @avifenesh made their first contribution in #6560

Full Changelog: v5.8.1...v5.8.2

5.8.1

⚠️ Security Release

Fixes "Missing End Anchor in "subtypeNameReg" Allows Malformed Content-Types to Pass Validation": GHSA-573f-x89g-hqp9.

CVE-2026-3419

Full Changelog: v5.8.0...v5.8.1

5.8.0

What's Changed

• docs(request): add host security warning references by @mcollina in #6476
• docs: fix note style by @Fdawgs in #6487
• chore: rename deploy website ci by @Eomm in #6492
• chore: support pino v9 and v10 by @mcollina in #6496
• chore: update logger types and fix TODO comment by @Tony133 in #6470
• refactor(test-types): migrate dummy-plugin to FastifyPluginAsync by @Tony133 in #6472
• docs: fix markdown typo in README.md by @droppingbeans in #6491
• test: cover non-numeric content-length client error path by @mcollina in #6500
• ci: remove tests-checker workflow by @Tony133 in #6481
• ci: remove stale.yml file by @Tony133 in #6504
• docs(security): remove hackerone references; change note style by @Fdawgs in #6501
• chore: rename @sinclair/typebox to typebox by @Tony133 in #6494
• ci(links-check): add external link checker using linkinator-action by @umxr in #6386
• chore: upgrade borp to v1.0.0 by @Tony133 in #6510
• docs: Add OpenJS CNA reference to SECURITY.md by @mcollina in #6516
• fix: avoid mutating shared routerOptions across instances by @mcollina in #6515
• fix(types): accept async route hooks in shorthand options by @mcollina in #6514
• docs: Improve shutdown lifecycle documentation by @kibertoad in #6517
• chore: remove unused tsconfig.eslint.json by @mrazauskas in #6524
• feat: First-class support for handler-level timeouts by @kibertoad in #6521
• docs(security): clarify insecureHTTPParser threat model scope by @mcollina in #6533
• chore(license): standardise license notice by @Fdawgs in #6511
• docs: clarify anyOf nullable coercion behavior with primitive types by @slegarraga in #6531
• fix: remove format placeholder from FST_ERR_CTP_INVALID_MEDIA_TYPE message by @super-mcgin in #6528
• docs(reference/hooks): fix note style by @Fdawgs in #6538
• chore: Bump lycheeverse/lychee-action from 2.7.0 to 2.8.0 by @dependabot[bot] in #6539
• chore: Bump actions/dependency-review-action from 4.8.2 to 4.8.3 by @dependabot[bot] in #6540
• chore: Bump markdownlint-cli2 from 0.20.0 to 0.21.0 by @dependabot[bot] in #6542
• ci: remove broken links and add ecosystem link validator by @mcollina in #6421
• ci(validate-ecoystem-links): add job level permission by @Fdawgs in #6545
• style: remove trailing whitespace by @Fdawgs in #6543

New Contributors

• @droppingbeans made their first contribution in #6491
• @umxr made their first contribution in #6386
• @slegarraga made their first contribution in #6531
• @super-mcgin made their first contribution in #6528

Full Changelog: v5.7.4...v5.8.0

5.7.4

Full Changelog: v5.7.3...v5.7.4

5.7.3

⚠️ Security Release

• Fix GHSA-mrq3-vjjr-p77c CVE-2026-25224.

What's Changed

• docs: update Reply.send() documentation for string serialization by @mcollina in #6466
• chore: ignore agents config files by @mcollina in #6474
• docs: update vulnerability reporting to use GitHub Security by @mcollina in #6475

Full Changelog: v5.7.2...v5.7.3

5.7.2

⚠️ Notice ⚠️

Parsing of the content-type header has been improved to a strict parser in PR #6414. This means only header values in the form described in RFC 9110 are accepted.

What's Changed

• chore: npm ignore AI related files by @climba03003 in #6447
• chore: update sponsor url by @Eomm in #6450
• docs: add fastify-http-exceptions to Ecosystem.md by @bhouston in #6442
• docs: fix invalid shorten form schema example by @climba03003 in #6448
• docs: Simplify and tighten decorators example by @smith558 in #6451
• docs: Fix incorrect variable use by @smith558 in #6455
• chore: update sponsor link by @Eomm in #6460
• fix: Fix MIT Licence file to conform to standard by @smith558 in #6464
• docs: move querystringParser option under routerOptions by @inyourtime in #6463
• chore: Updated content-type header parsing by @jsumners in #6414

New Contributors

• @bhouston made their first contribution in #6442

Full Changelog: v5.7.1...v5.7.2

5.7.1

What's Changed

• chore: Bump actions/checkout from 5 to 6 by @dependabot[bot] in #6434
• chore: updated version in the fastify.js by @Tony133 in #6446

Full Changelog: v5.7.0...v5.7.1

5.7.0

What's Changed

• docs: Improved firebase serverless guide about process remaining stuck by @alexandercerutti in #6380
• docs: update migration guide with date-time breaking change by @craftsman01 in #6110
• chore: remove test file by @Eomm in #6384
• feat: speed up loading with custom compiler by @Eomm in #6383
• docs: replace all instances of twitter.com with x.com by @cseas in #6355
• docs: correct logger option in example by @inyourtime in #6391
• docs: fix links by @Shriti507 in #6394
• chore: skip unnecessary object creation by @Eomm in #6400
• docs: Update JSON Schema link in documentation by @jon23d in #6402
• docs(ecosystem): add fastify-ses-mailer by @KaranHotwani in #6395
• docs: add security note about validation errors in response by @mcollina in #6407
• docs: add security threat model by @mcollina in #6406
• chore: update onboarding and offboarding instructions by @Eomm in #6403
• fix: set status code before publishing diagnostics error channel by @tt-a1i in #6412
• fix: use JSON.stringify in onBadUrl for proper escaping by @mcollina in #6420
• chore: fix type test by @mrazauskas in #6418
• docs: improve Validation-and-Serialization.md by @twentytwo777 in #6423
• test: skip IPv6 test if its support is not present by @LiviaMedeiros in #6428
• test: fix test when localhost has multiple addresses by @LiviaMedeiros in #6427
• docs: add security warning for requestIdHeader by @mcollina in #6425
• docs(ecosystem): add elements-fastify by @rohitsoni007 in #6416
• chore: Bump actions/dependency-review-action from 4.8.1 to 4.8.2 by @dependabot[bot] in #6433
• chore: Bump markdownlint-cli2 from 0.18.1 to 0.20.0 by @dependabot[bot] in #6436
• chore: Bump @types/node from 24.10.4 to 25.0.3 in the dev-dependencies-typescript group by @dependabot[bot] in #6435
• fix(ts): Align routerOptions defaultRoute types with runtime by @AnkanMisra in #6392
• fix(types): require send() payload when Reply type is specified by @tt-a1i in #6432
• fix: ajv options type validation by @gianmarco27 in #6437
• docs: add non-vulnerability examples to threat model by @RafaelGSS in #6431
• feat: implement conditional request logging by @kibertoad in #5732
• docs(sponsor): add serpapi by @Eomm in #6443
• perf: use native WebStream API instead of Readable.fromWeb wrapper by @mcollina in #6444

New Contributors

• @craftsman01 made their first contribution in #6110
• @cseas made their first contribution in #6355
• @Shriti507 made their first contribution in #6394
• @jon23d made their first contribution in #6402
• @KaranHotwani made their first contribution in #6395
• @tt-a1i made their first contribution in #6412
• @mrazauskas made their first contribution in #6418
• @twentytwo777 made their first contribution in #6423
• @rohitsoni007 made their first contribution in #6416
• @AnkanMisra made their first contribution in #6392
• @gianmarco27 made their first contribution in #6437

Full Changelog: v5.6.2...v5.7.0

5.6.2

What's Changed

• refactor: rename source file names with kebab-case by @jean-michelet in #6331
• ci(ci): check dependabot prs originate from repo by @Fdawgs in #6330
• fix: accept htab ows by @jean-michelet in #6303
• fix: handle non FastifyErrors in custom handler properly, set type of error-parameter for setErrorHandler and errorHandler to unknown, but configurable via generic TError by @Uzlopak in #6308
• build(deps-dev): remove @fastify/pre-commit by @Fdawgs in #6319
• ci: improve citgm workflows by @Uzlopak in #6334
• docs: explain stream error handling by @lundibundi in #5746
• fix: error throwing in reply by @juanlet in #6299
• refactor: delegate options processing to a dedicated function by @jean-michelet in #6333
• ci: remove label of citgm only on pull_request.labeled, add options for workflow_dispatch by @Uzlopak in #6335
• chore: Bump actions/checkout from 4 to 5 by @dependabot[bot] in #6343
• chore: Bump joi from 17.13.3 to 18.0.1 by @dependabot[bot] in #6347
• chore: Bump lycheeverse/lychee-action from 2.4.1 to 2.6.1 by @dependabot[bot] in #6345
• chore: Bump actions/dependency-review-action from 4.7.1 to 4.8.0 by @dependabot[bot] in #6344
• chore: Bump actions/labeler from 5 to 6 by @dependabot[bot] in #6341
• chore: Bump actions/setup-node from 4 to 5 by @dependabot[bot] in #6342
• chore: Bump actions/github-script from 7 to 8 by @dependabot[bot] in #6340
• docs: mention that addHttpMethod override existing methods by @jean-michelet in #6350
• chore: remove reference to simple-get by @ilteoood in #6353
• chore: remove commented tests by @ilteoood in #6352
• fix: respect child logger factory in fastify options by @cysp in #6349
• docs(ecosystem): adding attaryz/fastify-devtools to community plugins by @attaryz in #6339
• docs: remove ambiguity from statement by @udohjeremiah in #6360
• chore: add @fastify/sse as fastify core plugin to documentation and citgm by @manshusainishab in #6364
• docs(guides/fluent-schema): replace last nb usage by @Fdawgs in #6365
• style(ci): remove whitespace from concurrency group by @Fdawgs in #6366
• docs: Fix broken link to TypeBox doc website wrt AJV setup by @melroy89 in #6367
• docs(reference/plugins): mention async plugins by @Fdawgs in #6357
• chore: add max-len ESLint rule with 120 character limit by @emicovi in #6221
• chore: Bump actions/dependency-review-action from 4.8.0 to 4.8.1 by @dependabot[bot] in #6374
• chore: Bump pino from 9.14.0 to 10.1.0 in the dependencies-major group by @dependabot[bot] in #6378
• chore: Bump pnpm/action-setup from 4.1.0 to 4.2.0 by @dependabot[bot] in #6375
• chore: Bump tsd from 0.32.0 to 0.33.0 in the dev-dependencies-typescript group by @dependabot[bot] in #6346
• chore: Bump lycheeverse/lychee-action from 2.6.1 to 2.7.0 by @dependabot[bot] in #6377
• fix: handle web stream payload in HEAD route by @orionmiz in #6372
• chore: Bump actions/setup-node from 5 to 6 by @dependabot[bot] in #6376
• chore: Bump borp from 0.20.2 to 0.21.0 by @dependabot[bot] in #6379
• fix: parse ipv6 hostname by @jean-michelet in #6373
• fix: consistent error handling for custom validators in async validation contexts by @emicovi in #6247

New Contributors

• @juanlet made their first contribution in #6299
• @cysp made their first contribution in #6349
• @attaryz made their first contribution in #6339
• @udohjeremiah made their first contribution in #6360
• @manshusainishab made their first contribution in #6364
• @orionmiz made their first contribution in #6372

Full Changelog: v5.6.1...v5.6.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[changeset-bot]

⚠️ No Changeset found

Latest commit: 673c9db

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[depfu]

Closed in favor of #68.