🚨 [security] Update fastify 5.6.1 → 5.7.4 (minor)

[depfu]

---

Welcome to Depfu 👋

This is one of the first three pull requests with dependency updates we've sent your way. We tried to start with a few easy patch-level updates. Hopefully your tests will pass and you can merge this pull request without too much risk. This should give you an idea how Depfu works in general.

After you merge your first pull request, we'll send you a few more. We'll never open more than seven PRs at the same time so you're not getting overwhelmed with updates.

Let us know if you have any questions. Thanks so much for giving Depfu a try!

---

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ fastify (5.6.1 → 5.7.4) · Repo

Security Advisories 🚨

🚨 Fastify's Content-Type header tab character allows body validation bypass

Impact

A validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type.

For example, a request with Content-Type: application/json\ta will bypass JSON schema validation but still be parsed as JSON.

This vulnerability affects all Fastify users who rely on Content-Type-based body validation schemas to enforce data integrity or security constraints. The concrete impact depends on the handler implementation and the level of trust placed in the validated request body, but at the library level, this allows complete bypass of body validation for any handler using Content-Type-discriminated schemas.

This issue is a regression or missed edge case from the fix for a previously reported vulnerability.

Patches

This vulnerability has been patched in Fastify v5.7.2. All users should upgrade to this version or later immediately.

Workarounds

If upgrading is not immediately possible, user can implement a custom onRequest hook to reject requests containing tab characters in the Content-Type header:

fastify.addHook('onRequest', async (request, reply) => {
  const contentType = request.headers['content-type']
  if (contentType && contentType.includes('\t')) {
    reply.code(400).send({ error: 'Invalid Content-Type header' })
  }
})

Resources

• fastify/lib/validation.js

  Line 272 in 759e978

      <tbody>
  

  return header.split(/[ ;]/, 1)[0].trim().toLowerCase()

• fastify/lib/content-type-parser.js

  Line 125 in 759e978

      <tbody>
  

  caseInsensitiveContentType.charCodeAt(parserListItem.length) === 9 /* `\t` */

• Fastify Validation and Serialization Documentation
• https://hackerone.com/reports/3464114

🚨 Fastify Vulnerable to DoS via Unbounded Memory Allocation in sendWebStream

Impact

A Denial of Service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation.

Patches

The issue is fixed in Fastify 5.7.3. Users should upgrade to 5.7.3 or later.

Workarounds

Avoid sending Web Streams from Fastify responses (e.g., ReadableStream or Response bodies). Use Node.js streams (stream.Readable) or buffered payloads instead until the project can upgrade.

References

• https://hackerone.com/reports/3524779

Release Notes

5.7.3

⚠️ Security Release

• Fix GHSA-mrq3-vjjr-p77c CVE-2026-25224.

What's Changed

• docs: update Reply.send() documentation for string serialization by @mcollina in #6466
• chore: ignore agents config files by @mcollina in #6474
• docs: update vulnerability reporting to use GitHub Security by @mcollina in #6475

Full Changelog: v5.7.2...v5.7.3

5.7.2

⚠️ Notice ⚠️

Parsing of the content-type header has been improved to a strict parser in PR #6414. This means only header values in the form described in RFC 9110 are accepted.

What's Changed

• chore: npm ignore AI related files by @climba03003 in #6447
• chore: update sponsor url by @Eomm in #6450
• docs: add fastify-http-exceptions to Ecosystem.md by @bhouston in #6442
• docs: fix invalid shorten form schema example by @climba03003 in #6448
• docs: Simplify and tighten decorators example by @smith558 in #6451
• docs: Fix incorrect variable use by @smith558 in #6455
• chore: update sponsor link by @Eomm in #6460
• fix: Fix MIT Licence file to conform to standard by @smith558 in #6464
• docs: move querystringParser option under routerOptions by @inyourtime in #6463
• chore: Updated content-type header parsing by @jsumners in #6414

New Contributors

• @bhouston made their first contribution in #6442

Full Changelog: v5.7.1...v5.7.2

5.7.1

What's Changed

• chore: Bump actions/checkout from 5 to 6 by @dependabot[bot] in #6434
• chore: updated version in the fastify.js by @Tony133 in #6446

Full Changelog: v5.7.0...v5.7.1

5.7.0

What's Changed

• docs: Improved firebase serverless guide about process remaining stuck by @alexandercerutti in #6380
• docs: update migration guide with date-time breaking change by @craftsman01 in #6110
• chore: remove test file by @Eomm in #6384
• feat: speed up loading with custom compiler by @Eomm in #6383
• docs: replace all instances of twitter.com with x.com by @cseas in #6355
• docs: correct logger option in example by @inyourtime in #6391
• docs: fix links by @Shriti507 in #6394
• chore: skip unnecessary object creation by @Eomm in #6400
• docs: Update JSON Schema link in documentation by @jon23d in #6402
• docs(ecosystem): add fastify-ses-mailer by @KaranHotwani in #6395
• docs: add security note about validation errors in response by @mcollina in #6407
• docs: add security threat model by @mcollina in #6406
• chore: update onboarding and offboarding instructions by @Eomm in #6403
• fix: set status code before publishing diagnostics error channel by @tt-a1i in #6412
• fix: use JSON.stringify in onBadUrl for proper escaping by @mcollina in #6420
• chore: fix type test by @mrazauskas in #6418
• docs: improve Validation-and-Serialization.md by @twentytwo777 in #6423
• test: skip IPv6 test if its support is not present by @LiviaMedeiros in #6428
• test: fix test when localhost has multiple addresses by @LiviaMedeiros in #6427
• docs: add security warning for requestIdHeader by @mcollina in #6425
• docs(ecosystem): add elements-fastify by @rohitsoni007 in #6416
• chore: Bump actions/dependency-review-action from 4.8.1 to 4.8.2 by @dependabot[bot] in #6433
• chore: Bump markdownlint-cli2 from 0.18.1 to 0.20.0 by @dependabot[bot] in #6436
• chore: Bump @types/node from 24.10.4 to 25.0.3 in the dev-dependencies-typescript group by @dependabot[bot] in #6435
• fix(ts): Align routerOptions defaultRoute types with runtime by @AnkanMisra in #6392
• fix(types): require send() payload when Reply type is specified by @tt-a1i in #6432
• fix: ajv options type validation by @gianmarco27 in #6437
• docs: add non-vulnerability examples to threat model by @RafaelGSS in #6431
• feat: implement conditional request logging by @kibertoad in #5732
• docs(sponsor): add serpapi by @Eomm in #6443
• perf: use native WebStream API instead of Readable.fromWeb wrapper by @mcollina in #6444

New Contributors

• @craftsman01 made their first contribution in #6110
• @cseas made their first contribution in #6355
• @Shriti507 made their first contribution in #6394
• @jon23d made their first contribution in #6402
• @KaranHotwani made their first contribution in #6395
• @tt-a1i made their first contribution in #6412
• @mrazauskas made their first contribution in #6418
• @twentytwo777 made their first contribution in #6423
• @rohitsoni007 made their first contribution in #6416
• @AnkanMisra made their first contribution in #6392
• @gianmarco27 made their first contribution in #6437

Full Changelog: v5.6.2...v5.7.0

5.6.2

What's Changed

• refactor: rename source file names with kebab-case by @jean-michelet in #6331
• ci(ci): check dependabot prs originate from repo by @Fdawgs in #6330
• fix: accept htab ows by @jean-michelet in #6303
• fix: handle non FastifyErrors in custom handler properly, set type of error-parameter for setErrorHandler and errorHandler to unknown, but configurable via generic TError by @Uzlopak in #6308
• build(deps-dev): remove @fastify/pre-commit by @Fdawgs in #6319
• ci: improve citgm workflows by @Uzlopak in #6334
• docs: explain stream error handling by @lundibundi in #5746
• fix: error throwing in reply by @juanlet in #6299
• refactor: delegate options processing to a dedicated function by @jean-michelet in #6333
• ci: remove label of citgm only on pull_request.labeled, add options for workflow_dispatch by @Uzlopak in #6335
• chore: Bump actions/checkout from 4 to 5 by @dependabot[bot] in #6343
• chore: Bump joi from 17.13.3 to 18.0.1 by @dependabot[bot] in #6347
• chore: Bump lycheeverse/lychee-action from 2.4.1 to 2.6.1 by @dependabot[bot] in #6345
• chore: Bump actions/dependency-review-action from 4.7.1 to 4.8.0 by @dependabot[bot] in #6344
• chore: Bump actions/labeler from 5 to 6 by @dependabot[bot] in #6341
• chore: Bump actions/setup-node from 4 to 5 by @dependabot[bot] in #6342
• chore: Bump actions/github-script from 7 to 8 by @dependabot[bot] in #6340
• docs: mention that addHttpMethod override existing methods by @jean-michelet in #6350
• chore: remove reference to simple-get by @ilteoood in #6353
• chore: remove commented tests by @ilteoood in #6352
• fix: respect child logger factory in fastify options by @cysp in #6349
• docs(ecosystem): adding attaryz/fastify-devtools to community plugins by @attaryz in #6339
• docs: remove ambiguity from statement by @udohjeremiah in #6360
• chore: add @fastify/sse as fastify core plugin to documentation and citgm by @manshusainishab in #6364
• docs(guides/fluent-schema): replace last nb usage by @Fdawgs in #6365
• style(ci): remove whitespace from concurrency group by @Fdawgs in #6366
• docs: Fix broken link to TypeBox doc website wrt AJV setup by @melroy89 in #6367
• docs(reference/plugins): mention async plugins by @Fdawgs in #6357
• chore: add max-len ESLint rule with 120 character limit by @emicovi in #6221
• chore: Bump actions/dependency-review-action from 4.8.0 to 4.8.1 by @dependabot[bot] in #6374
• chore: Bump pino from 9.14.0 to 10.1.0 in the dependencies-major group by @dependabot[bot] in #6378
• chore: Bump pnpm/action-setup from 4.1.0 to 4.2.0 by @dependabot[bot] in #6375
• chore: Bump tsd from 0.32.0 to 0.33.0 in the dev-dependencies-typescript group by @dependabot[bot] in #6346
• chore: Bump lycheeverse/lychee-action from 2.6.1 to 2.7.0 by @dependabot[bot] in #6377
• fix: handle web stream payload in HEAD route by @orionmiz in #6372
• chore: Bump actions/setup-node from 5 to 6 by @dependabot[bot] in #6376
• chore: Bump borp from 0.20.2 to 0.21.0 by @dependabot[bot] in #6379
• fix: parse ipv6 hostname by @jean-michelet in #6373
• fix: consistent error handling for custom validators in async validation contexts by @emicovi in #6247

New Contributors

• @juanlet made their first contribution in #6299
• @cysp made their first contribution in #6349
• @attaryz made their first contribution in #6339
• @udohjeremiah made their first contribution in #6360
• @manshusainishab made their first contribution in #6364
• @orionmiz made their first contribution in #6372

Full Changelog: v5.6.1...v5.6.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[changeset-bot]

⚠️ No Changeset found

Latest commit: 75f4a94

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR