CVE-2026-7768
Fastify accepts-serializer Cache Exhaustion via Accept Header
Publication date: 2026-05-04
Last updated on: 2026-05-04
Assigner: openjs
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fastify | accepts-serializer | to 6.0.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the @fastify/accepts-serializer package where it caches serializer-selection results based on the request's Accept header without any size limit or eviction policy.
A remote unauthenticated attacker can exploit this by sending many distinct but matching Accept header variants, causing the cache to grow without bound.
This unbounded growth can exhaust the Node.js heap memory and ultimately crash the process.
Versions up to and including 6.0.3 are affected, and the issue is fixed in version 6.0.4 or later by introducing a bounded cache using an LRU (Least Recently Used) eviction policy with a default size of 100 entries.
How can this vulnerability impact me? :
This vulnerability can lead to a denial of service (DoS) condition by exhausting the Node.js heap memory.
An attacker can cause the application to crash by sending many distinct Accept header variants, which causes the cache to grow unbounded.
This can result in service downtime, loss of availability, and potentially impact users relying on the affected service.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update @fastify/accepts-serializer to version 6.0.4 or later.
The update introduces a bounded cache using an LRU (Least Recently Used) policy with a default size of 100 entries, which prevents unbounded cache growth.
Additionally, you can configure the cache size through the new cacheSize plugin option to better control memory usage.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability causes a denial of service by exhausting the Node.js heap and crashing the process due to unbounded cache growth. It does not directly impact confidentiality, integrity, or availability of data in a way that would specifically affect compliance with standards like GDPR or HIPAA.
However, if the denial of service leads to system unavailability, it could indirectly affect availability requirements under such regulations.
No direct information is provided about compliance impact in the available context.