chore(deps): update dependency fastify to v5.8.3 [security]

[renovate-sh-app]

This PR contains the following updates:

Package	Change	Age	Confidence
fastify (source)	5.7.4 → 5.8.3

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2026-3635

Summary

When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection — including connections from untrusted IPs. This allows an attacker connecting directly to Fastify (bypassing the proxy) to spoof both the protocol and host seen by the application.

Affected Versions

fastify <= 5.8.2

Impact

Applications using request.protocol or request.host for security decisions (HTTPS enforcement, secure cookie flags, CSRF origin checks, URL construction, host-based routing) are affected when trustProxy is configured with a restrictive trust function.

When trustProxy: true (trust everything), both host and protocol trust all forwarded headers — this is expected behavior. The vulnerability only manifests with restrictive trust configurations.

---

Fastify's Missing End Anchor in "subtypeNameReg" Allows Malformed Content-Types to Pass Validation

CVE-2026-3419 / GHSA-573f-x89g-hqp9

More information

Details

Description

Fastify incorrectly accepts malformed Content-Type headers containing trailing characters after the subtype token, in violation of RFC 9110 §8.3.1. For example, a request sent with Content-Type: application/json garbage passes validation and is processed normally, rather than being rejected with 415 Unsupported Media Type.

When regex-based content-type parsers are in use (a documented Fastify feature), the malformed value is matched against registered parsers using the full string including the trailing garbage. This means a request with an invalid content-type may be routed to and processed by a parser it should never have reached.

Impact

An attacker can send requests with RFC-invalid Content-Type headers that bypass validity checks, reach content-type parser matching, and be processed by the server. Requests that should be rejected at the validation stage are instead handled as if the content-type were valid.

Workarounds

Deploy a WAF rule to protect against this

Fix

The fix is available starting with v5.8.1.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References

• https://github.com/fastify/fastify/security/advisories/GHSA-573f-x89g-hqp9
• https://nvd.nist.gov/vuln/detail/CVE-2026-3419
• https://github.com/fastify/fastify/commit/67f6c9b32cb3623d3c9470cc17ed830dd2f083d7
• https://cna.openjsf.org/security-advisories.html
• https://github.com/advisories/GHSA-573f-x89g-hqp9
• https://github.com/fastify/fastify
• https://httpwg.org/specs/rfc9110.html#field.content-type
• https://www.cve.org/CVERecord?id=CVE-2026-3419

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

fastify: request.protocol and request.host Spoofable via X-Forwarded-Proto/Host from Untrusted Connections

CVE-2026-3635 / GHSA-444r-cwp2-x5xf

More information

Details

Summary

When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection — including connections from untrusted IPs. This allows an attacker connecting directly to Fastify (bypassing the proxy) to spoof both the protocol and host seen by the application.

Affected Versions

fastify <= 5.8.2

Impact

Applications using request.protocol or request.host for security decisions (HTTPS enforcement, secure cookie flags, CSRF origin checks, URL construction, host-based routing) are affected when trustProxy is configured with a restrictive trust function.

When trustProxy: true (trust everything), both host and protocol trust all forwarded headers — this is expected behavior. The vulnerability only manifests with restrictive trust configurations.

Severity

• CVSS Score: 6.1 / 10 (Medium)
• Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

References

• https://github.com/fastify/fastify/security/advisories/GHSA-444r-cwp2-x5xf
• https://nvd.nist.gov/vuln/detail/CVE-2026-3635
• https://cna.openjsf.org/security-advisories.html
• https://github.com/fastify/fastify
• https://github.com/fastify/fastify/releases/tag/v5.8.3
• https://www.cve.org/CVERecord?id=CVE-2026-3635

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

fastify/fastify (fastify)

v5.8.3

Compare Source

⚠️ Security Release

This fixes CVE CVE-2026-3635 GHSA-444r-cwp2-x5xf.

What's Changed

• docs(readme): add @​Tony133 to plugin team by @​Tony133 in #​6565
• Updated Plugins-Guide.md; Changed "fastify" to "instance" during plugin registration to showcase that it's added as a child by @​kyrylchenko in #​6566
• test: use fastify.test in test case by @​climba03003 in #​6568
• docs: use fastify.example in documentation by @​climba03003 in #​6567
• docs: add common performance degradation guidance by @​maxpetrusenko in #​6520
• docs(server): fix camelCase anchor links in TOC by @​Deepvamja in #​6530
• ci(link-checker): fix root-relative links resolution by @​barba-rossa in #​6535
• docs: update syntax markdown, absolute paths and links by @​Tony133 in #​6569
• docs: clarify content-type parser/schema mismatch is outside threat model by @​mcollina in #​6537
• docs: fix incorrect code examples in Reply and Request reference by @​mahmoodhamdi in #​6582
• docs: replace redirected npm.im http-errors link by @​mcollina in #​6588
• types: Allow port to be null in request type definition by @​TristanBarlow in #​6589
• docs: update links by @​Tony133 in #​6593
• ci(lock-threads): use shared lock-threads workflow by @​Fdawgs in #​6592

New Contributors

• @​kyrylchenko made their first contribution in #​6566
• @​maxpetrusenko made their first contribution in #​6520
• @​Deepvamja made their first contribution in #​6530
• @​barba-rossa made their first contribution in #​6535
• @​mahmoodhamdi made their first contribution in #​6582
• @​TristanBarlow made their first contribution in #​6589

Full Changelog: fastify/fastify@v5.8.2...v5.8.3

v5.8.2

Compare Source

What's Changed

• docs(ecosystem): add @​yeliex/fastify-problem-details by @​yeliex in #​6546
• Revert "chore: upgrade borp to v1.0.0" by @​climba03003 in #​6564
• docs: document body validation with custom content type parsers by @​mcollina in #​6556
• docs(ecosystem): add fastify-file-router by @​bhouston in #​6441
• docs: add fastify-svelte-view to Ecosystem list by @​matths in #​6453
• fix: anchor keyValuePairsReg to prevent quadratic backtracking by @​mcollina in #​6558
• docs: added note on handling of invalid URLs in setNotFoundHandler by @​leftieFriele in #​5661
• docs(guides): update codemod links by @​OluchiEzeifedikwa in #​6479
• docs: add @​glidemq/fastify to community plugins by @​avifenesh in #​6560

New Contributors

• @​yeliex made their first contribution in #​6546
• @​matths made their first contribution in #​6453
• @​leftieFriele made their first contribution in #​5661
• @​OluchiEzeifedikwa made their first contribution in #​6479
• @​avifenesh made their first contribution in #​6560

Full Changelog: fastify/fastify@v5.8.1...v5.8.2

v5.8.1

Compare Source

⚠️ Security Release

Fixes "Missing End Anchor in "subtypeNameReg" Allows Malformed Content-Types to Pass Validation": GHSA-573f-x89g-hqp9.

CVE-2026-3419

Full Changelog: fastify/fastify@v5.8.0...v5.8.1

v5.8.0

Compare Source

What's Changed

• docs(request): add host security warning references by @​mcollina in #​6476
• docs: fix note style by @​Fdawgs in #​6487
• chore: rename deploy website ci by @​Eomm in #​6492
• chore: support pino v9 and v10 by @​mcollina in #​6496
• chore: update logger types and fix TODO comment by @​Tony133 in #​6470
• refactor(test-types): migrate dummy-plugin to FastifyPluginAsync by @​Tony133 in #​6472
• docs: fix markdown typo in README.md by @​droppingbeans in #​6491
• test: cover non-numeric content-length client error path by @​mcollina in #​6500
• ci: remove tests-checker workflow by @​Tony133 in #​6481
• ci: remove stale.yml file by @​Tony133 in #​6504
• docs(security): remove hackerone references; change note style by @​Fdawgs in #​6501
• chore: rename @​sinclair/typebox to typebox by @​Tony133 in #​6494
• ci(links-check): add external link checker using linkinator-action by @​umxr in #​6386
• chore: upgrade borp to v1.0.0 by @​Tony133 in #​6510
• docs: Add OpenJS CNA reference to SECURITY.md by @​mcollina in #​6516
• fix: avoid mutating shared routerOptions across instances by @​mcollina in #​6515
• fix(types): accept async route hooks in shorthand options by @​mcollina in #​6514
• docs: Improve shutdown lifecycle documentation by @​kibertoad in #​6517
• chore: remove unused tsconfig.eslint.json by @​mrazauskas in #​6524
• feat: First-class support for handler-level timeouts by @​kibertoad in #​6521
• docs(security): clarify insecureHTTPParser threat model scope by @​mcollina in #​6533
• chore(license): standardise license notice by @​Fdawgs in #​6511
• docs: clarify anyOf nullable coercion behavior with primitive types by @​slegarraga in #​6531
• fix: remove format placeholder from FST_ERR_CTP_INVALID_MEDIA_TYPE message by @​super-mcgin in #​6528
• docs(reference/hooks): fix note style by @​Fdawgs in #​6538
• chore: Bump lycheeverse/lychee-action from 2.7.0 to 2.8.0 by @​dependabot[bot] in #​6539
• chore: Bump actions/dependency-review-action from 4.8.2 to 4.8.3 by @​dependabot[bot] in #​6540
• chore: Bump markdownlint-cli2 from 0.20.0 to 0.21.0 by @​dependabot[bot] in #​6542
• ci: remove broken links and add ecosystem link validator by @​mcollina in #​6421
• ci(validate-ecoystem-links): add job level permission by @​Fdawgs in #​6545
• style: remove trailing whitespace by @​Fdawgs in #​6543

New Contributors

• @​droppingbeans made their first contribution in #​6491
• @​umxr made their first contribution in #​6386
• @​slegarraga made their first contribution in #​6531
• @​super-mcgin made their first contribution in #​6528

Full Changelog: fastify/fastify@v5.7.4...v5.8.0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

Need help?

You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.