CVE-2022-39288 - Vulnerability Details - OpenCVE

fastify is a fast and low overhead web framework, for Node.js. Affected versions of fastify are subject to a denial of service via malicious use of the Content-Type header. An attacker can send an invalid Content-Type header that can cause the application to crash. This issue has been addressed in commit `fbb07e8d` and will be included in release version 4.8.1. Users are advised to upgrade. Users unable to upgrade may manually filter out http content with malicious Content-Type headers.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Fastify	Fastify

Configuration 1 [-]

cpe:2.3:a:fastify:fastify:*:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://github.com/fastify/fastify/commit/fbb07e8dfad74c69cd4cd2211aedab87194618e3
https://github.com/fastify/fastify/security/advisories/GHSA-455w-c45v-86rg
https://github.com/fastify/fastify/security/policy

History

Wed, 23 Apr 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-10-10T00:00:00.000Z

Updated: 2025-04-23T16:51:56.095Z

Reserved: 2022-09-02T00:00:00.000Z

Link: CVE-2022-39288

Vulnrichment

Updated: 2024-08-03T12:00:43.799Z

NVD

Status : Modified

Published: 2022-10-10T21:15:11.300

Modified: 2024-11-21T07:17:57.870

Link: CVE-2022-39288

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-39288", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "dateUpdated": "2025-04-23T16:51:56.095Z", "dateReserved": "2022-09-02T00:00:00.000Z", "datePublished": "2022-10-10T00:00:00.000Z"}, "containers": {"cna": {"title": "Denial of service in Fastify via Content-Type header", "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-10-10T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "fastify is a fast and low overhead web framework, for Node.js. Affected versions of fastify are subject to a denial of service via malicious use of the Content-Type header. An attacker can send an invalid Content-Type header that can cause the application to crash. This issue has been addressed in commit `fbb07e8d` and will be included in release version 4.8.1. Users are advised to upgrade. Users unable to upgrade may manually filter out http content with malicious Content-Type headers."}], "affected": [{"vendor": "fastify", "product": "fastify", "versions": [{"version": ">= 4.0.0, < 4.8.1", "status": "affected"}]}], "references": [{"url": "https://github.com/fastify/fastify/security/advisories/GHSA-455w-c45v-86rg"}, {"url": "https://github.com/fastify/fastify/commit/fbb07e8dfad74c69cd4cd2211aedab87194618e3"}, {"url": "https://github.com/fastify/fastify/security/policy"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-754: Improper Check for Unusual or Exceptional Conditions", "cweId": "CWE-754"}]}], "source": {"advisory": "GHSA-455w-c45v-86rg", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:00:43.799Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/fastify/fastify/security/advisories/GHSA-455w-c45v-86rg", "tags": ["x_transferred"]}, {"url": "https://github.com/fastify/fastify/commit/fbb07e8dfad74c69cd4cd2211aedab87194618e3", "tags": ["x_transferred"]}, {"url": "https://github.com/fastify/fastify/security/policy", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-23T15:50:15.699604Z", "id": "CVE-2022-39288", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T16:51:56.095Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-39288", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "dateUpdated": "2025-04-23T16:51:56.095Z", "dateReserved": "2022-09-02T00:00:00.000Z", "datePublished": "2022-10-10T00:00:00.000Z"}, "containers": {"cna": {"title": "Denial of service in Fastify via Content-Type header", "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-10-10T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "fastify is a fast and low overhead web framework, for Node.js. Affected versions of fastify are subject to a denial of service via malicious use of the Content-Type header. An attacker can send an invalid Content-Type header that can cause the application to crash. This issue has been addressed in commit `fbb07e8d` and will be included in release version 4.8.1. Users are advised to upgrade. Users unable to upgrade may manually filter out http content with malicious Content-Type headers."}], "affected": [{"vendor": "fastify", "product": "fastify", "versions": [{"version": ">= 4.0.0, < 4.8.1", "status": "affected"}]}], "references": [{"url": "https://github.com/fastify/fastify/security/advisories/GHSA-455w-c45v-86rg"}, {"url": "https://github.com/fastify/fastify/commit/fbb07e8dfad74c69cd4cd2211aedab87194618e3"}, {"url": "https://github.com/fastify/fastify/security/policy"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-754: Improper Check for Unusual or Exceptional Conditions", "cweId": "CWE-754"}]}], "source": {"advisory": "GHSA-455w-c45v-86rg", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:00:43.799Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/fastify/fastify/security/advisories/GHSA-455w-c45v-86rg", "tags": ["x_transferred"]}, {"url": "https://github.com/fastify/fastify/commit/fbb07e8dfad74c69cd4cd2211aedab87194618e3", "tags": ["x_transferred"]}, {"url": "https://github.com/fastify/fastify/security/policy", "tags": ["x_transferred"]}]}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-39288", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-23T15:50:15.699604Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T15:50:17.610Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fastify:fastify:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "807CA7E6-76C5-4960-A3FE-1D3A9340CABB", "versionEndExcluding": "4.8.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "fastify is a fast and low overhead web framework, for Node.js. Affected versions of fastify are subject to a denial of service via malicious use of the Content-Type header. An attacker can send an invalid Content-Type header that can cause the application to crash. This issue has been addressed in commit `fbb07e8d` and will be included in release version 4.8.1. Users are advised to upgrade. Users unable to upgrade may manually filter out http content with malicious Content-Type headers."}, {"lang": "es", "value": "fastify es un framework web r\u00e1pido y de baja sobrecarga, para Node.js. Las versiones afectadas de fastify est\u00e1n sujetas a una denegaci\u00f3n de servicio por medio del uso malicioso del encabezado Content-Type. Un atacante puede enviar un encabezado Content-Type no v\u00e1lida que puede causar el bloqueo de la aplicaci\u00f3n. Este problema ha sido abordado en el commit \"fbb07e8d\" y ser\u00e1 incluido en versi\u00f3n 4.8.1. Es recomendado a usuarios actualizar. Los usuarios que no puedan actualizar pueden filtrar manualmente el contenido http con encabezados Content-Type maliciosos"}], "id": "CVE-2022-39288", "lastModified": "2024-11-21T07:17:57.870", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-10-10T21:15:11.300", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/fastify/fastify/commit/fbb07e8dfad74c69cd4cd2211aedab87194618e3"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://github.com/fastify/fastify/security/advisories/GHSA-455w-c45v-86rg"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/fastify/fastify/security/policy"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/fastify/fastify/commit/fbb07e8dfad74c69cd4cd2211aedab87194618e3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://github.com/fastify/fastify/security/advisories/GHSA-455w-c45v-86rg"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/fastify/fastify/security/policy"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-754"}], "source": "security-advisories@github.com", "type": "Secondary"}]}