Home

Description

@fastify/accepts-serializer cached serializer-selection results keyed by the request Accept header without a size limit or eviction policy. A remote unauthenticated client could send many distinct but matching Accept header variants to make the cache grow unbounded, eventually exhausting the Node.js heap and crashing the process. Versions <= 6.0.3 are affected. Update to 6.0.4 or later, which bounds the cache via an LRU with a default size of 100 entries, configurable through the new cacheSize plugin option.

PUBLISHED Reserved 2026-05-04 | Published 2026-05-04 | Updated 2026-05-04 | Assigner openjs




HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem types

CWE-770: Allocation of Resources Without Limits or Throttling

Product status

Default status
unaffected

Any version before 6.0.4
affected

6.0.4 (semver)
unaffected

Credits

Yuki Matsuhashi finder

Ulises Gascón remediation reviewer

Manuel Spigolon remediation developer

References

cna.openjsf.org/security-advisories.html

github.com/...alizer/security/advisories/GHSA-qxhc-wx3p-2wmg

cve.org (CVE-2026-7768)

nvd.nist.gov (CVE-2026-7768)

Download JSON