Skip to main content

@fastify/accepts-serializer CVE-2026-7768

| EUVDEUVD-2026-27131 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-05-04 openjs GHSA-qxhc-wx3p-2wmg
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Patch available
May 04, 2026 - 21:02 EUVD
Analysis Generated
May 04, 2026 - 20:00 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 npm packages depend on @fastify/accepts-serializer (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 6.0.4.

DescriptionCVE.org

@fastify/accepts-serializer cached serializer-selection results keyed by the request Accept header without a size limit or eviction policy. A remote unauthenticated client could send many distinct but matching Accept header variants to make the cache grow unbounded, eventually exhausting the Node.js heap and crashing the process. Versions <= 6.0.3 are affected. Update to 6.0.4 or later, which bounds the cache via an LRU with a default size of 100 entries, configurable through the new cacheSize plugin option.

AnalysisAI

Unbounded cache growth in @fastify/accepts-serializer versions ≤6.0.3 allows remote unauthenticated attackers to exhaust Node.js heap memory by sending numerous distinct Accept header variants, crashing the application. The plugin caches serializer selections keyed by Accept header without size limits, enabling trivial memory exhaustion attacks against any exposed Fastify endpoint. Fix available in version 6.0.4, which implements an LRU cache with 100-entry default limit. No public exploit code identified at time of analysis, but attack is straightforward to execute with basic HTTP tools.

Technical ContextAI

The @fastify/accepts-serializer plugin for Fastify framework optimizes content negotiation by caching serializer-selection decisions based on HTTP Accept headers. The vulnerability stems from CWE-770 (Allocation of Resources Without Limits or Throttling) - the cache implementation prior to 6.0.4 stored mappings in an unbounded in-memory structure without eviction policy. Since Accept headers can contain arbitrary media type lists with quality parameters (e.g., application/json;q=0.9, text/html;q=0.8), attackers can generate functionally equivalent but textually distinct headers that each create a new cache entry. In Node.js environments, uncontrolled heap growth eventually triggers out-of-memory exceptions, terminating the process. The CPE identifier cpe:2.3:a:@fastify/accepts-serializer:@fastify/accepts-serializer confirms the affected component is the npm package itself, impacting any Fastify application using this plugin for content negotiation.

RemediationAI

Upgrade @fastify/accepts-serializer to version 6.0.4 or later, which implements an LRU (Least Recently Used) cache with default 100-entry limit as documented in GitHub advisory GHSA-qxhc-wx3p-2wmg. Update package.json dependency and run npm install or yarn install, then restart Node.js processes. If immediate upgrade is blocked, implement compensating controls: (1) deploy reverse proxy (nginx, Cloudflare) to normalize/limit Accept header variations before reaching Node.js backend - configure max header size of 4KB and rate-limit distinct header patterns per IP (trade-off: complex regex rules, potential legitimate traffic blocking); (2) enable Node.js --max-old-space-size flag with monitoring to detect heap exhaustion before crash and trigger graceful restart (trade-off: service interruption still occurs, just more controlled); (3) restrict application exposure to authenticated clients only via API gateway (trade-off: eliminates public API use cases). Primary fix of upgrading to 6.0.4 has no known side effects and maintains backward compatibility while adding configurable cacheSize option for custom tuning.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

CVE-2026-7768 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy