chore(deps): update dependency fastify to v5 [security] - autoclosed

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
fastify (source)	4.18.0 → 5.7.2

GitHub Vulnerability Alerts

CVE-2026-25223

Impact

A validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type.

For example, a request with Content-Type: application/json\ta will bypass JSON schema validation but still be parsed as JSON.

This vulnerability affects all Fastify users who rely on Content-Type-based body validation schemas to enforce data integrity or security constraints. The concrete impact depends on the handler implementation and the level of trust placed in the validated request body, but at the library level, this allows complete bypass of body validation for any handler using Content-Type-discriminated schemas.

This issue is a regression or missed edge case from the fix for a previously reported vulnerability.

Patches

This vulnerability has been patched in Fastify v5.7.2. All users should upgrade to this version or later immediately.

Workarounds

If upgrading is not immediately possible, user can implement a custom onRequest hook to reject requests containing tab characters in the Content-Type header:

fastify.addHook('onRequest', async (request, reply) => {
  const contentType = request.headers['content-type']
  if (contentType && contentType.includes('\t')) {
    reply.code(400).send({ error: 'Invalid Content-Type header' })
  }
})

Resources

• https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/validation.js#L272
• https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/content-type-parser.js#L125
• Fastify Validation and Serialization Documentation
• https://hackerone.com/reports/3464114

---

Release Notes

fastify/fastify (fastify)

v5.7.2

Compare Source

⚠️ Notice ⚠️

Parsing of the content-type header has been improved to a strict parser in PR #​6414. This means only header values in the form described in RFC 9110 are accepted.

What's Changed

• chore: npm ignore AI related files by @​climba03003 in #​6447
• chore: update sponsor url by @​Eomm in #​6450
• docs: add fastify-http-exceptions to Ecosystem.md by @​bhouston in #​6442
• docs: fix invalid shorten form schema example by @​climba03003 in #​6448
• docs: Simplify and tighten decorators example by @​smith558 in #​6451
• docs: Fix incorrect variable use by @​smith558 in #​6455
• chore: update sponsor link by @​Eomm in #​6460
• fix: Fix MIT Licence file to conform to standard by @​smith558 in #​6464
• docs: move querystringParser option under routerOptions by @​inyourtime in #​6463
• chore: Updated content-type header parsing by @​jsumners in #​6414

New Contributors

• @​bhouston made their first contribution in #​6442

Full Changelog: fastify/fastify@v5.7.1...v5.7.2

v5.7.1

Compare Source

What's Changed

• chore: Bump actions/checkout from 5 to 6 by @​dependabot[bot] in #​6434
• chore: updated version in the fastify.js by @​Tony133 in #​6446

Full Changelog: fastify/fastify@v5.7.0...v5.7.1

v5.7.0

Compare Source

What's Changed

• docs: Improved firebase serverless guide about process remaining stuck by @​alexandercerutti in #​6380
• docs: update migration guide with date-time breaking change by @​craftsman01 in #​6110
• chore: remove test file by @​Eomm in #​6384
• feat: speed up loading with custom compiler by @​Eomm in #​6383
• docs: replace all instances of twitter.com with x.com by @​cseas in #​6355
• docs: correct logger option in example by @​inyourtime in #​6391
• docs: fix links by @​Shriti507 in #​6394
• chore: skip unnecessary object creation by @​Eomm in #​6400
• docs: Update JSON Schema link in documentation by @​jon23d in #​6402
• docs(ecosystem): add fastify-ses-mailer by @​KaranHotwani in #​6395
• docs: add security note about validation errors in response by @​mcollina in #​6407
• docs: add security threat model by @​mcollina in #​6406
• chore: update onboarding and offboarding instructions by @​Eomm in #​6403
• fix: set status code before publishing diagnostics error channel by @​tt-a1i in #​6412
• fix: use JSON.stringify in onBadUrl for proper escaping by @​mcollina in #​6420
• chore: fix type test by @​mrazauskas in #​6418
• docs: improve Validation-and-Serialization.md by @​twentytwo777 in #​6423
• test: skip IPv6 test if its support is not present by @​LiviaMedeiros in #​6428
• test: fix test when localhost has multiple addresses by @​LiviaMedeiros in #​6427
• docs: add security warning for requestIdHeader by @​mcollina in #​6425
• docs(ecosystem): add elements-fastify by @​rohitsoni007 in #​6416
• chore: Bump actions/dependency-review-action from 4.8.1 to 4.8.2 by @​dependabot[bot] in #​6433
• chore: Bump markdownlint-cli2 from 0.18.1 to 0.20.0 by @​dependabot[bot] in #​6436
• chore: Bump @​types/node from 24.10.4 to 25.0.3 in the dev-dependencies-typescript group by @​dependabot[bot] in #​6435
• fix(ts): Align routerOptions defaultRoute types with runtime by @​AnkanMisra in #​6392
• fix(types): require send() payload when Reply type is specified by @​tt-a1i in #​6432
• fix: ajv options type validation by @​gianmarco27 in #​6437
• docs: add non-vulnerability examples to threat model by @​RafaelGSS in #​6431
• feat: implement conditional request logging by @​kibertoad in #​5732
• docs(sponsor): add serpapi by @​Eomm in #​6443
• perf: use native WebStream API instead of Readable.fromWeb wrapper by @​mcollina in #​6444

New Contributors

• @​craftsman01 made their first contribution in #​6110
• @​cseas made their first contribution in #​6355
• @​Shriti507 made their first contribution in #​6394
• @​jon23d made their first contribution in #​6402
• @​KaranHotwani made their first contribution in #​6395
• @​tt-a1i made their first contribution in #​6412
• @​mrazauskas made their first contribution in #​6418
• @​twentytwo777 made their first contribution in #​6423
• @​rohitsoni007 made their first contribution in #​6416
• @​AnkanMisra made their first contribution in #​6392
• @​gianmarco27 made their first contribution in #​6437

Full Changelog: fastify/fastify@v5.6.2...v5.7.0

v5.6.2

Compare Source

v5.6.1

Compare Source

What's Changed

• fix: fix typo of deprecation warning FSTDEP022 by @​Uzlopak in #​6313
• docs(decorators): fix TypeScript inconsistency by @​emicovi in #​6224
• chore: fix typos by @​deining in #​6316
• docs(security): add secondary contact/security escalation policy by @​UlisesGascon in #​6315
• chore(gha): remove benchmark github workflows by @​Eomm in #​6322
• chore(sponsor): add lambdatest by @​Eomm in #​6324
• fix: (types) allow FastifySchemaValidationError[] as an error by @​gurgunday in #​6326
• fix: correct session.close() context in http2 timeout handler by @​David-van-der-Sluijs in #​6327
• fix: close http2 sessions on close server by @​kostyak127 in #​6137

New Contributors

• @​deining made their first contribution in #​6316
• @​UlisesGascon made their first contribution in #​6315
• @​David-van-der-Sluijs made their first contribution in #​6327
• @​kostyak127 made their first contribution in #​6137

Full Changelog: fastify/fastify@v5.6.0...v5.6.1

v5.6.0

Compare Source

What's Changed

• fix: update typescript pino type to pick by @​dancastillo in #​6287
• feat(types): router option types by @​dancastillo in #​6282
• fix(types): Fix use of "esModuleInterop: false" by @​joshkel in #​6292
• docs: fix typo in Reference: TypeScript.md by @​hmanzoni in #​6302
• docs: clarify router performance note by @​Prasad2604 in #​6306

New Contributors

• @​joshkel made their first contribution in #​6292
• @​hmanzoni made their first contribution in #​6302
• @​Prasad2604 made their first contribution in #​6306

Full Changelog: fastify/fastify@v5.5.0...v5.6.0

v5.5.0

Compare Source

What's Changed

• docs: fix markdown linting issue by @​Uzlopak in #​6175
• chore: removed simple-get from mkcalendar tests by @​ilteoood in #​6199
• chore: removed simple-get from versioned-routes tests by @​ilteoood in #​6202
• chore: removed simple-get from hooks tests by @​ilteoood in #​6210
• fix: close pipelining test by @​ilteoood in #​6204
• chore: removed simple-get from unlock test by @​ilteoood in #​6178
• chore: removed simple-get from use-semicolon-delimiter tests by @​ilteoood in #​6203
• chore: removed simple-get from custom-https-server tests by @​ilteoood in #​6201
• chore: remove simple-get from custom parser 5 by @​ilteoood in #​6172
• chore: removed simple-get from head tests by @​ilteoood in #​6196
• chore: removed simple-get from request id tests by @​ilteoood in #​6193
• chore: remove simple get from custom parser 1 by @​ilteoood in #​6167
• chore: removed simple-get from custom-parser-0 by @​ilteoood in #​6168
• chore: remove simple-get from custom parser 2 by @​ilteoood in #​6169
• chore: remove simple-get from custom parser 4 by @​ilteoood in #​6171
• chore: removed simple-get from promises test by @​ilteoood in #​6183
• chore: removed simple-get from move test by @​ilteoood in #​6179
• chore: remove simple-get from custom querystring parser by @​ilteoood in #​6166
• chore: remove simple-get from propfind by @​ilteoood in #​6174
• chore: removed simple-get from case insensitive test by @​ilteoood in #​6188
• chore: remove simple get from async-await tests by @​ilteoood in #​6165
• chore: removed simple-get from header overflow test by @​ilteoood in #​6190
• chore: removed simple-get from check test by @​ilteoood in #​6176
• chore: removed simple-get from async hooks test by @​ilteoood in #​6189
• feat(types): export more schema related types by @​marcalexiei in #​6207
• chore: removed simple-get from copy tests by @​ilteoood in #​6198
• chore: removed simple-get from request-error test by @​ilteoood in #​6184
• chore: removed simple-get from decorator tests by @​ilteoood in #​6192
• ci: pin third-party actions to commit-hash by @​Fdawgs in #​6218
• fix: close fastify instance by @​ilteoood in #​6177
• chore(license): replace date range by @​Fdawgs in #​6219
• chore: removed simple-get from plugin-1 test by @​ilteoood in #​6180
• chore: removed simple-get from plugin-2 test by @​ilteoood in #​6181
• chore: removed simple-get from plugin-3 test by @​ilteoood in #​6182
• chore: remove simple get from reply test by @​ilteoood in #​6160
• feat(types): add missing error types by @​davidwood in #​6217
• docs: setErrorHandler description by @​AlvesJorge in #​6227
• docs: fix onError hook execution order documentation by @​emicovi in #​6225
• fix: handle abort signal in fastify.listen by @​climba03003 in #​6235
• feat: prepare to use Promise.withResolvers by @​climba03003 in #​6232
• docs: updated SECURITY.md by @​Eomm in #​6233
• fix(docs): fix markdown to exclude leading parenthesis by @​IanWoodard in #​6238
• ci: fix thollander/actions-comment-pull-request commit-hash by @​Fdawgs in #​6244
• docs(routes): add payload to preParsing signature by @​callmehiphop in #​6240
• docs(ecosystem): add fastify-route-preset plugin by @​inyourtime in #​6220
• chore: remove simple get from async request, get and register... by @​ilteoood in #​6246
• docs: improve custom validator documentation for async hooks by @​emicovi in #​6228
• chore: remove simple get from route shorthand by @​ilteoood in #​6245
• chore: Bump @​stylistic/eslint-plugin from 4.4.1 to 5.1.0 in the dev-dependencies-eslint group by @​dependabot[bot] in #​6242
• chore: Bump @​types/node from 22.15.34 to 24.0.8 in the dev-dependencies-typescript group by @​dependabot[bot] in #​6243
• chore(tests): remove simple get by @​ilteoood in #​6249
• chore: finally remove simple get by @​ilteoood in #​6251
• chore: remove undici from schema-validation.test.js by @​Uzlopak in #​6252
• test: fix flakyness of close-pipelining-test, upgrade undici to v7 by @​Uzlopak in #​6256
• fix: account for EPIPE fetch errors in tests by @​gurgunday in #​6255
• docs: correct parameter name in frameworkErrors handler by @​inyourtime in #​6257
• docs: fix server page headings level by @​golopot in #​6258
• fix: add FST_ERR_CTP_INVALID_JSON_BODY by @​Uzlopak in #​5925
• feat: optimize content type parser by using AsyncResource.bind() by @​gurgunday in #​6262
• fix: remove unnecessary body length check in contentTypeParser by @​gurgunday in #​6266
• docs(ecosystem): add fastify-multilingual by @​gbrugger in #​6268
• chore: fix docs Request.md by @​ts0307 in #​6270
• chore: Bump typescript from 5.8.3 to 5.9.2 in the dev-dependencies-typescript group by @​dependabot[bot] in #​6273
• chore: Bump cross-env from 7.0.3 to 10.0.0 by @​dependabot[bot] in #​6274
• feat(types): enforce reply status code types with type providers by @​samchungy in #​6250
• feat: move router options to own key by @​dancastillo in #​5985
• docs: refine CONTRIBUTING.md for better readability by @​Dipali127 in #​6277
• chore: refactor reply.send and prioritize kReplyIsError by @​gurgunday in #​6267
• docs(ecosystem): add fastify-permissions plugin by @​pckrishnadas88 in #​6265
• docs: Add Hey API to ecosystem by @​mrlubos in #​6280
• fix: OPTIONS Content-Type handling by @​gurgunday in #​6263

New Contributors

• @​marcalexiei made their first contribution in #​6207
• @​davidwood made their first contribution in #​6217
• @​AlvesJorge made their first contribution in #​6227
• @​emicovi made their first contribution in #​6225
• @​IanWoodard made their first contribution in #​6238
• @​callmehiphop made their first contribution in #​6240
• @​golopot made their first contribution in #​6258
• @​gbrugger made their first contribution in #​6268
• @​ts0307 made their first contribution in #​6270
• @​Dipali127 made their first contribution in #​6277
• @​pckrishnadas88 made their first contribution in #​6265
• @​mrlubos made their first contribution in #​6280

Full Changelog: fastify/fastify@v5.4.0...v5.5.0

v5.4.0

Compare Source

What's Changed

• test: mv routes-* from tap by @​jean-michelet in #​6092
• test: mv skip-reply-send from tap by @​jean-michelet in #​6094
• test: mv plugins from tap by @​jean-michelet in #​6088
• fix(ci): ignore alternative runtime result by @​Eomm in #​6125
• test: mv schema-* from tap by @​jean-michelet in #​6093
• test: mv hooks-async from tap by @​jean-michelet in #​6084
• fix(types): add missing version to request.routeOptions by @​inyourtime in #​6126
• docs: remove fastify-sentry plugin by @​dnlup in #​6131
• docs: add community plugins disclaimer by @​jean-michelet in #​6132
• docs: use cross-platform compatible info emoji by @​Fdawgs in #​6134
• perf: nits in reply.js by @​Cangit in #​6136
• docs: join core team by @​jean-michelet in #​6142
• docs: fix typo in hash.digest function by @​piotr-cz in #​6145
• test: mv hooks from tap by @​jean-michelet in #​6087
• test: improve issue 4959 unit test by @​Uzlopak in #​6147
• chore: Bump markdownlint-cli2 from 0.17.2 to 0.18.1 by @​dependabot in #​6150
• chore: remove dependencie tap and others updated by @​Tony133 in #​6148
• fix: hook async flaky by @​ilteoood in #​6155
• chore: Bump lycheeverse/lychee-action from 2.4.0 to 2.4.1 by @​dependabot in #​6151
• chore: removing simple-get from allow-unsafe-regex by @​ilteoood in #​6154
• chore: remove simple get on 404s test file by @​ilteoood in #​6153
• chore: remove simple-get in handle-request.test.js by @​ilteoood in #​6159
• chore: remove simple-get from url-rewriting by @​ilteoood in #​6163
• chore: remove simple-get in report.test.js by @​ilteoood in #​6157
• chore: remove simple-get from custom parser async by @​ilteoood in #​6164
• chore: removed simple-get from mkcol tests by @​ilteoood in #​6194
• chore: removed simple-get from proto-poisoning test by @​ilteoood in #​6185
• ci: Added Node.js v24 by @​mcollina in #​6113
• chore: removed simple-get from nullable validation test by @​ilteoood in #​6191
• feat: configure errorhandler override by @​jean-michelet in #​6104
• chore: remove simple-get from search test by @​ilteoood in #​6158
• chore: remove simple get from secure with fallback test by @​ilteoood in #​6162
• chore: removed simple-get from als test by @​ilteoood in #​6187
• chore: remove simple-get from listen 4 by @​ilteoood in #​6173
• fix: do not freeze request.routeOptions by @​mcollina in #​6141
• chore: removed simple-get from sync-delay-request tests by @​ilteoood in #​6212
• chore: removed simple-get from output-validation tests by @​ilteoood in #​6213
• chore: removed simple-get from async-delay-request tests by @​ilteoood in #​6211
• chore: removed simple-get from body-limit tests by @​ilteoood in #​6209
• chore: removed simple-get from trust-proxy tests by @​ilteoood in #​6205
• chore: removed simple-get from proppatch tests by @​ilteoood in #​6200
• chore(ci): cleanup citgm.yml by @​Eomm in #​6195
• chore: removed simple-get from https tests by @​ilteoood in #​6197
• chore: removed simple-get from lock test by @​ilteoood in #​6186

Full Changelog: fastify/fastify@v5.3.3...v5.4.0

v5.3.3

Compare Source

What's Changed

• docs: update Vercel section by @​leerob in #​6046
• docs(ecosystem): add fastify-papr plugin by @​inaiat in #​6051
• test: migrated helper and input validation to node test runner by @​ilteoood in #​6074
• style: add "no comma-dangle" rule to eslint config and remove trailing commas by @​cecia234 in #​6069
• test: migrate stream tests to node test runner by @​ilteoood in #​6065
• test: logger response by @​ilteoood in #​6055
• test: migrate schema feature to node test runner by @​ilteoood in #​6066
• fix: Added more cases for JSON schema validation by @​mcollina in #​6067
• test: migrated inject.test.js from tap to node:test by @​Tony133 in #​6068
• test: migrated plugin 1 to node test runner by @​ilteoood in #​6075
• ci: fix branch pattern by @​Eomm in #​6090
• docs: added Jeasx to Ecosystem.md by @​jablonski in #​6082
• test: mv promises from tap by @​jean-michelet in #​6085
• refactor: node:http2 is always available by @​Cangit in #​6073
• fix: update borp to 0.20.0. by @​lholmquist in #​6091
• chore: Bump fluent-json-schema from 5.0.0 to 6.0.0 by @​dependabot in #​6101
• chore: Bump tsd from 0.31.2 to 0.32.0 in the dev-dependencies-typescript group by @​dependabot in #​6100
• test: migrated decorator.test.js from tap to node:test by @​Tony133 in #​5957
• test: stabilize pipelining shutdown test with controlled close timing by @​jean-michelet in #​6099
• test: migrated output-validation.test.js from tap to node:test by @​Tony133 in #​6076
• test: remove tap from hooks-on ready file by @​IcaroSilvaFK in #​6080
• test: mv hooks.on-listen from tap by @​jean-michelet in #​6086
• ci: ignore scripts by @​Fdawgs in #​6108
• docs: add a warning about setErrorHandler overriding a previously defined error handler on an encapsulated context by @​jean-michelet in #​6097
• docs(ecosystem): remove fastify-diagnostics-channel by @​inyourtime in #​6117
• fix: internal function _addHook failure should be turned into the rejection app.ready is waiting for by @​jean-michelet in #​6105
• test: replace removed request properties and update docs by @​inyourtime in #​6111
• test: mv reply from tap by @​jean-michelet in #​6089
• test: updated promises.test.js re-added the plan() method by @​Tony133 in #​6057
• ci: add support to test release candidates by @​RafaelGSS in #​6103

New Contributors

• @​leerob made their first contribution in #​6046
• @​inaiat made their first contribution in #​6051
• @​cecia234 made their first contribution in #​6069
• @​jablonski made their first contribution in #​6082
• @​lholmquist made their first contribution in #​6091
• @​IcaroSilvaFK made their first contribution in #​6080

Full Changelog: fastify/fastify@v5.3.2...v5.3.3

v5.3.2

Compare Source

⚠️ Security Release ⚠️

Unfortunately, v5.3.1 did not include a complete fix for "Invalid content-type parsing could lead to validation bypass" and CVE-2025-32442. This is a follow-up patch to cover an edge case.

What's Changed

• docs: fix archived concurrently link to point to active repo by @​TimTeylor in #​6063
• fix: treat space as a delimiter in content-type parsing by @​mcollina in #​6064

New Contributors

• @​TimTeylor made their first contribution in #​6063

Full Changelog: fastify/fastify@v5.3.1...v5.3.2

v5.3.1

Compare Source

⚠️ Security Release ⚠️

• Fix for "Invalid content-type parsing could lead to validation bypass" and CVE-2025-32442

What's Changed

• test: migrate logger options to node test runner by @​ilteoood in #​6059
• test: migrate logger logging to node test runner by @​ilteoood in #​6060
• test: convert custom parser 1 to node test runner by @​ilteoood in #​6053
• test: custom querystring parser by @​ilteoood in #​6054
• test: migrate stream 4 to node test runner by @​ilteoood in #​6062
• test: migrate request logger to node test runner by @​ilteoood in #​6058
• test: migrate custom parser 0 to node test runner by @​ilteoood in #​6052
• test: migrate logger instantiation to node test runner by @​ilteoood in #​6061

New Contributors

• @​ilteoood made their first contribution in #​6059

Full Changelog: fastify/fastify@v5.3.0...v5.3.1

v5.3.0

Compare Source

What's Changed

• fix: wrong reply return type by @​dangkyokhoang in #​6026
• feat: allow to access decorators by @​jean-michelet in #​5768
• ci: continue-on-error on alternative runtime by @​Eomm in #​6031
• fix: clear [kState].readyPromise for garbage collection by @​LiviaMedeiros in #​6030
• ci: set workflow permissions to read-only by default by @​Fdawgs in #​6035
• chore: Bump the dependencies-major group with 2 updates by @​dependabot in #​6036
• chore: Bump lycheeverse/lychee-action from 2.3.0 to 2.4.0 by @​dependabot in #​6037
• chore: remove sponsort by @​Eomm in #​6040
• test: fix skip in upgrade test by @​LiviaMedeiros in #​6044
• chore: migrate custom-parser.4.test.js to node:test by @​Matthew-Mallimo in #​6042
• docs: add fastify-lm to Ecosystem.md by @​galiprandi in #​6032
• test: skip IPv6 tests if its support is not present by @​LiviaMedeiros in #​6048

New Contributors

• @​dangkyokhoang made their first contribution in #​6026
• @​Matthew-Mallimo made their first contribution in #​6042
• @​galiprandi made their first contribution in #​6032

Full Changelog: fastify/fastify@v5.2.2...v5.3.0

v5.2.2

Compare Source

What's Changed

• build: use static path instead of __filename by @​climba03003 in #​5922
• fix(linting): fix linting error in error-handler.js by @​Uzlopak in #​5926
• chore: Bump the dev-dependencies group across 1 directory with 6 updates by @​dependabot in #​5930
• fix: don't check for payload type in default json parser by @​gurgunday in #​5933
• docs: Include req.hostname change in upgrade guide by @​tmcw in #​5935
• build(dependabot): regroup dev dependencies by @​Fdawgs in #​5931
• chore: Bump borp from 0.18.0 to 0.19.0 by @​dependabot in #​5936
• chore: don't return the done function by @​gurgunday in #​5937
• ci(workflows): unpin node 22 version by @​Fdawgs in #​5941
• perf: don't use optional chaining for typeof .then checks by @​gurgunday in #​5942
• docs: the no fl

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[trentm]

Once #3409 is in, we can drop this (or it renovate will do so automatically?).