Does fastify have any known vulnerabilities?

fastify v5.7.2 has 3 known CVE vulnerabilities. Review the safety scan for severity details and remediation guidance.

What capabilities does fastify have?

fastify has the following detected capabilities: network access, filesystem access, process spawning, environment variable access. Review these before using with AI coding agents.

Can I use fastify safely with AI coding agents?

fastify has been flagged with risk indicators. Review the detected threats and capabilities before using with AI coding agents. Assessments are automated and may contain errors.

fastify

Q: Is fastify safe to use?

fastify v5.7.2 has warnings detected in the latest brin safety scan. Trust score: 75/100. Review the flagged concerns before use. This is an automated assessment.

npm

Is fastify safe to use?

The latest brin safety scan flagged fastify v5.7.2 with risk indicators that warrant review. 3 known CVE vulnerabilities. Trust score: 75/100. Review the findings below before use. This is an automated assessment and may contain errors.

Install (safety-checked)

fastify Has Warnings

Warnings detected due to potential concerns

warning

CVEs

Threats

Install Scripts

Risk Indicators

•Can spawn child processes

fastify CVE Vulnerabilities (3)

CVE-2026-25223high

Fastify's Content-Type header tab character allows body validation bypass

Fixed in: 5.7.2

CVE-2026-25224low

Fastify Vulnerable to DoS via Unbounded Memory Allocation in sendWebStream

Fixed in: 5.7.3

GHSA-mrq3-vjjr-p77cCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Fastify Vulnerable to DoS via Unbounded Memory Allocation in sendWebStream

Fixed in: 5.7.3

brin Recommendations

→This package has warnings detected. Evaluate the specific concerns before proceeding.
→Update to a patched version to address 1 high-severity CVE.

Install with brin add fastify to automatically apply these checks before installation.

This is an automated, point-in-time assessment and may contain errors. Findings are risk indicators, not confirmed threats. Security posture may change over time. Maintainers can dispute findings via the brin review process.

fastify Capabilities & Permissions

What fastify can access when installed. Review these capabilities before using with AI agents like Cursor, Claude Code, or Codex.

Network Access

This package makes network requests.

127.0.0.1api.example.comapple.comdatatracker.ietf.orgdeveloper.mozilla.orgexample.comexample.com#example.orgfastify.devgithub.com+11 more

Protocols: http, https, tcp

Filesystem Access

Reads and writes to the filesystem.

.env (rw)package.json (rw).env (rw)package.json (rw)package.json (rw)/tmp/ (rw)package.json (rw)

Process Spawning

This package can spawn child processes.

Environment Variables

Accesses the following environment variables.

CITGMPREPUBLISH

AGENTS.md for fastify

Good instructions lead to good results. brin adds fastify documentation to your AGENTS.md so your agent knows how to use it properly—improving both safety and performance.

brin init

Vercel's research: 100% accuracy with AGENTS.md vs 53% without →

fastify Documentation & Source Code

For the full fastify README, API documentation, and source code, visit the official package registry.

View on npm View Source Homepage

Frequently asked questions about fastify safety

Install (safety-checked)

Weekly Downloads

4.7M

Version

5.7.2

License

MIT

Other Versions

5.7.4warning

Last Scanned

Feb 1, 2026

Trust Score

75/100·Legitimacy signals, not safety

CVEs (3)

CVE-2026-25223

Fastify's Content-Type header tab character allows body validation bypass

Fixed in: 5.7.2

CVE-2026-25224

Fastify Vulnerable to DoS via Unbounded Memory Allocation in sendWebStream

Fixed in: 5.7.3

GHSA-mrq3-vjjr-p77c

Fastify Vulnerable to DoS via Unbounded Memory Allocation in sendWebStream

Fixed in: 5.7.3

Capabilities

Network

Connects to: 127.0.0.1, api.example.com, apple.com...

Filesystem

Reads & Writes files

Process

Spawns child processes

Environment

Accesses: CITGM, PREPUBLISH