CVE-2026-25224

Low CVSS: 3.7

Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation. This issue has been patched in version 5.7.3.

Vendor

Fastify

Product

Fastify

CWE

CWE-770

Yayın Tarihi

2026-02-03 22:16:31

Güncelleme

2026-02-10 19:24:48

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-770 Fastify LOW Fastify 2026

Referanslar

https://github.com/fastify/fastify/commit/eb11156396f6a5fedaceed0140aed2b7f026be37 https://github.com/fastify/fastify/security/advisories/GHSA-mrq3-vjjr-p77c https://hackerone.com/reports/3524779

Benzer Kayıtlar

Medium

CVE-2026-3419

Fastify incorrectly accepts malformed `Content-Type` headers containing trailing characters after the subtype token, in…

High

CVE-2026-25223

Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability…

Medium

CVE-2025-66415

fastify-reply-from is a Fastify plugin to forward the current HTTP request to another server. Prior to 12.5.0, by crafti…

High

CVE-2025-32442

Fastify is a fast and low overhead web framework, for Node.js. In versions 5.0.0 to 5.3.0 as well as version 4.29.0, app…