CVE-2026-7768
Analyzed Analyzed - Analysis Complete
Fastify accepts-serializer Cache Exhaustion via Accept Header

Publication date: 2026-05-04

Last updated on: 2026-05-29

Assigner: openjs

Description
@fastify/accepts-serializer cached serializer-selection results keyed by the request Accept header without a size limit or eviction policy. A remote unauthenticated client could send many distinct but matching Accept header variants to make the cache grow unbounded, eventually exhausting the Node.js heap and crashing the process. Versions <= 6.0.3 are affected. Update to 6.0.4 or later, which bounds the cache via an LRU with a default size of 100 entries, configurable through the new cacheSize plugin option.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-04
Last Modified
2026-05-29
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-7768
EUVD
EUVD-2026-27131
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fastify fastify/accepts-serializer to 6.0.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability causes a denial of service by exhausting the Node.js heap and crashing the process due to unbounded cache growth. It does not directly impact confidentiality, integrity, or availability of data in a way that would specifically affect compliance with standards like GDPR or HIPAA.

However, if the denial of service leads to system unavailability, it could indirectly affect availability requirements under such regulations.

No direct information is provided about compliance impact in the available context.

Executive Summary

The vulnerability exists in the @fastify/accepts-serializer package where it caches serializer-selection results based on the request's Accept header without any size limit or eviction policy.

A remote unauthenticated attacker can exploit this by sending many distinct but matching Accept header variants, causing the cache to grow without bound.

This unbounded growth can exhaust the Node.js heap memory and ultimately crash the process.

Versions up to and including 6.0.3 are affected, and the issue is fixed in version 6.0.4 or later by introducing a bounded cache using an LRU (Least Recently Used) eviction policy with a default size of 100 entries.

Impact Analysis

This vulnerability can lead to a denial of service (DoS) condition by exhausting the Node.js heap memory.

An attacker can cause the application to crash by sending many distinct Accept header variants, which causes the cache to grow unbounded.

This can result in service downtime, loss of availability, and potentially impact users relying on the affected service.

Mitigation Strategies

To mitigate this vulnerability, update @fastify/accepts-serializer to version 6.0.4 or later.

The update introduces a bounded cache using an LRU (Least Recently Used) policy with a default size of 100 entries, which prevents unbounded cache growth.

Additionally, you can configure the cache size through the new cacheSize plugin option to better control memory usage.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7768. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart