Commit b0f2873
authored
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?v=4&size=40){kind=avatar}
fix(deps): update dependency fastify to v5.3.2 [security] (#90)
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [fastify](https://fastify.dev/)
([source](https://redirect.github.com/fastify/fastify)) | [`5.2.2` ->
`5.3.2`](https://renovatebot.com/diffs/npm/fastify/5.2.2/5.3.2) |
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
### GitHub Vulnerability Alerts
####
[CVE-2025-32442](https://redirect.github.com/fastify/fastify/security/advisories/GHSA-mg2h-6x62-wpwc)
### Impact
In applications that specify different validation strategies for
different content types, it's possible to bypass the validation by
providing a _slightly altered_ content type such as with different
casing or altered whitespacing before `;`.
Users using the the following pattern are affected:
```js
fastify.post('/', {
handler(request, reply) {
reply.code(200).send(request.body)
},
schema: {
body: {
content: {
'application/json': {
schema: {
type: 'object',
properties: {
'foo': {
type: 'string',
}
},
required: ['foo']
}
},
}
}
}
})
```
User using the following pattern are **not** affected:
```js
fastify.post('/', {
handler(request, reply) {
reply.code(200).send(request.body)
},
schema: {
body: {
type: 'object',
properties: {
'foo': {
type: 'string',
}
},
required: ['foo']
}
}
})
```
### Patches
This was patched in v5.3.1, but unfortunately it did not cover all
problems. This has been fully patched in v5.3.2.
### Workarounds
Do not specify multiple content types in the schema.
### References
_Are there any links users can visit to find out more?_
https://hackerone.com/reports/3087928
---
### Fastify vulnerable to invalid content-type parsing, which could lead
to validation bypass
[CVE-2025-32442](https://nvd.nist.gov/vuln/detail/CVE-2025-32442) /
[GHSA-mg2h-6x62-wpwc](https://redirect.github.com/advisories/GHSA-mg2h-6x62-wpwc)
<details>
<summary>More information</summary>
#### Details
##### Impact
In applications that specify different validation strategies for
different content types, it's possible to bypass the validation by
providing a _slightly altered_ content type such as with different
casing or altered whitespacing before `;`.
Users using the the following pattern are affected:
```js
fastify.post('/', {
handler(request, reply) {
reply.code(200).send(request.body)
},
schema: {
body: {
content: {
'application/json': {
schema: {
type: 'object',
properties: {
'foo': {
type: 'string',
}
},
required: ['foo']
}
},
}
}
}
})
```
User using the following pattern are **not** affected:
```js
fastify.post('/', {
handler(request, reply) {
reply.code(200).send(request.body)
},
schema: {
body: {
type: 'object',
properties: {
'foo': {
type: 'string',
}
},
required: ['foo']
}
}
})
```
##### Patches
This was patched in v5.3.1, but unfortunately it did not cover all
problems. This has been fully patched in v5.3.2.
##### Workarounds
Do not specify multiple content types in the schema.
##### References
_Are there any links users can visit to find out more?_
https://hackerone.com/reports/3087928
#### Severity
- CVSS Score: 7.5 / 10 (High)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N`
#### References
-
[https://github.com/fastify/fastify/security/advisories/GHSA-mg2h-6x62-wpwc](https://redirect.github.com/fastify/fastify/security/advisories/GHSA-mg2h-6x62-wpwc)
-
[https://nvd.nist.gov/vuln/detail/CVE-2025-32442](https://nvd.nist.gov/vuln/detail/CVE-2025-32442)
-
[https://github.com/fastify/fastify/commit/436da4c06dfbbb8c24adee3a64de0c51e4f47418](https://redirect.github.com/fastify/fastify/commit/436da4c06dfbbb8c24adee3a64de0c51e4f47418)
-
[https://github.com/fastify/fastify/commit/f3d2bcb3963cd570a582e5d39aab01a9ae692fe4](https://redirect.github.com/fastify/fastify/commit/f3d2bcb3963cd570a582e5d39aab01a9ae692fe4)
-
[https://hackerone.com/reports/3087928](https://hackerone.com/reports/3087928)
-
[https://github.com/fastify/fastify](https://redirect.github.com/fastify/fastify)
This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-mg2h-6x62-wpwc) and the [GitHub
Advisory Database](https://redirect.github.com/github/advisory-database)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>
---
### Release Notes
<details>
<summary>fastify/fastify (fastify)</summary>
###
[`v5.3.2`](https://redirect.github.com/fastify/fastify/compare/v5.3.1...32f7e1eb97b638bad3ff8b80948e5b2c07d1b8b5)
[Compare
Source](https://redirect.github.com/fastify/fastify/compare/v5.3.1...v5.3.2)
###
[`v5.3.1`](https://redirect.github.com/fastify/fastify/compare/v5.3.0...436da4c06dfbbb8c24adee3a64de0c51e4f47418)
[Compare
Source](https://redirect.github.com/fastify/fastify/compare/v5.3.0...v5.3.1)
###
[`v5.3.0`](https://redirect.github.com/fastify/fastify/releases/tag/v5.3.0)
[Compare
Source](https://redirect.github.com/fastify/fastify/compare/v5.2.2...v5.3.0)
#### What's Changed
- fix: wrong reply return type by
[@​dangkyokhoang](https://redirect.github.com/dangkyokhoang) in
[https://github.com/fastify/fastify/pull/6026](https://redirect.github.com/fastify/fastify/pull/6026)
- feat: allow to access decorators by
[@​jean-michelet](https://redirect.github.com/jean-michelet) in
[https://github.com/fastify/fastify/pull/5768](https://redirect.github.com/fastify/fastify/pull/5768)
- ci: continue-on-error on alternative runtime by
[@​Eomm](https://redirect.github.com/Eomm) in
[https://github.com/fastify/fastify/pull/6031](https://redirect.github.com/fastify/fastify/pull/6031)
- fix: clear `[kState].readyPromise` for garbage collection by
[@​LiviaMedeiros](https://redirect.github.com/LiviaMedeiros) in
[https://github.com/fastify/fastify/pull/6030](https://redirect.github.com/fastify/fastify/pull/6030)
- ci: set workflow permissions to read-only by default by
[@​Fdawgs](https://redirect.github.com/Fdawgs) in
[https://github.com/fastify/fastify/pull/6035](https://redirect.github.com/fastify/fastify/pull/6035)
- chore: Bump the dependencies-major group with 2 updates by
[@​dependabot](https://redirect.github.com/dependabot) in
[https://github.com/fastify/fastify/pull/6036](https://redirect.github.com/fastify/fastify/pull/6036)
- chore: Bump lycheeverse/lychee-action from 2.3.0 to 2.4.0 by
[@​dependabot](https://redirect.github.com/dependabot) in
[https://github.com/fastify/fastify/pull/6037](https://redirect.github.com/fastify/fastify/pull/6037)
- chore: remove sponsort by
[@​Eomm](https://redirect.github.com/Eomm) in
[https://github.com/fastify/fastify/pull/6040](https://redirect.github.com/fastify/fastify/pull/6040)
- test: fix skip in upgrade test by
[@​LiviaMedeiros](https://redirect.github.com/LiviaMedeiros) in
[https://github.com/fastify/fastify/pull/6044](https://redirect.github.com/fastify/fastify/pull/6044)
- chore: migrate custom-parser.4.test.js to node:test by
[@​Matthew-Mallimo](https://redirect.github.com/Matthew-Mallimo)
in
[https://github.com/fastify/fastify/pull/6042](https://redirect.github.com/fastify/fastify/pull/6042)
- docs: add fastify-lm to Ecosystem.md by
[@​galiprandi](https://redirect.github.com/galiprandi) in
[https://github.com/fastify/fastify/pull/6032](https://redirect.github.com/fastify/fastify/pull/6032)
- test: skip IPv6 tests if its support is not present by
[@​LiviaMedeiros](https://redirect.github.com/LiviaMedeiros) in
[https://github.com/fastify/fastify/pull/6048](https://redirect.github.com/fastify/fastify/pull/6048)
#### New Contributors
- [@​dangkyokhoang](https://redirect.github.com/dangkyokhoang)
made their first contribution in
[https://github.com/fastify/fastify/pull/6026](https://redirect.github.com/fastify/fastify/pull/6026)
- [@​Matthew-Mallimo](https://redirect.github.com/Matthew-Mallimo)
made their first contribution in
[https://github.com/fastify/fastify/pull/6042](https://redirect.github.com/fastify/fastify/pull/6042)
- [@​galiprandi](https://redirect.github.com/galiprandi) made
their first contribution in
[https://github.com/fastify/fastify/pull/6032](https://redirect.github.com/fastify/fastify/pull/6032)
**Full Changelog**:
fastify/fastify@v5.2.2...v5.3.0
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/8hobbies/commitrack).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yNDguNCIsInVwZGF0ZWRJblZlciI6IjM5LjI0OC40IiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbXX0=-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>1 parent 7e26c3a commit b0f2873
2 files changed
+26
-10
lines changedSome generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
33 | 33 | | |
34 | 34 | | |
35 | 35 | | |
36 | | - | |
| 36 | + | |
37 | 37 | | |
38 | 38 | | |
39 | 39 | | |
| |||
0 commit comments