3.7

CVE-2026-25224

Fastify Vulnerable to DoS via Unbounded Memory Allocation in sendWebStream

Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation. This issue has been patched in version 5.7.3.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
FastifyFastify SwPlatformnode.js Version < 5.7.3
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.49% 0.381
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security-advisories@github.com 3.7 2.2 1.4
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

https://github.com/fastify/fastify/security/advisories/GHSA-mrq3-vjjr-p77c
Vendor Advisory
https://github.com/fastify/fastify/commit/eb11156396f6a5fedaceed0140aed2b7f026be37
Patch
https://hackerone.com/reports/3524779
Permissions Required