### ImpactThe attacker can use the incorrect `Content-Type` to bypass the `Pre-Flight` checking of `fetch`. `fetch()` requests with Content-Type’s [essence](https://mimesniff.spec.whatwg.org/#mime-type-essence) as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", could potentially be used to invoke routes that only accepts `application/json` content type, thus bypassing any [CORS protection](https://fetch.spec.whatwg.org/#simple-header), and therefore they could lead to a Cross-Site Request Forgery attack.### PatchesFor `4.x` users, please update to at least `4.10.2`For `3.x` users, please update to at least `3.29.4`### WorkaroundsImplement Cross-Site Request Forgery protection using [`@fastify/csrf`](https://www.npmjs.com/package/@fastify/csrf).### ReferencesCheck out the HackerOne report: https://hackerone.com/reports/1763832.### For more information[Fastify security policy](https://github.com/fastify/fastify/security/policy)