Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2Blast Radius
ecosystem impact- 1 npm packages depend on @fastify/accepts-serializer (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 6.0.4.
DescriptionCVE.org
@fastify/accepts-serializer cached serializer-selection results keyed by the request Accept header without a size limit or eviction policy. A remote unauthenticated client could send many distinct but matching Accept header variants to make the cache grow unbounded, eventually exhausting the Node.js heap and crashing the process. Versions <= 6.0.3 are affected. Update to 6.0.4 or later, which bounds the cache via an LRU with a default size of 100 entries, configurable through the new cacheSize plugin option.
AnalysisAI
Unbounded cache growth in @fastify/accepts-serializer versions ≤6.0.3 allows remote unauthenticated attackers to exhaust Node.js heap memory by sending numerous distinct Accept header variants, crashing the application. The plugin caches serializer selections keyed by Accept header without size limits, enabling trivial memory exhaustion attacks against any exposed Fastify endpoint. Fix available in version 6.0.4, which implements an LRU cache with 100-entry default limit. No public exploit code identified at time of analysis, but attack is straightforward to execute with basic HTTP tools.
Technical ContextAI
The @fastify/accepts-serializer plugin for Fastify framework optimizes content negotiation by caching serializer-selection decisions based on HTTP Accept headers. The vulnerability stems from CWE-770 (Allocation of Resources Without Limits or Throttling) - the cache implementation prior to 6.0.4 stored mappings in an unbounded in-memory structure without eviction policy. Since Accept headers can contain arbitrary media type lists with quality parameters (e.g., application/json;q=0.9, text/html;q=0.8), attackers can generate functionally equivalent but textually distinct headers that each create a new cache entry. In Node.js environments, uncontrolled heap growth eventually triggers out-of-memory exceptions, terminating the process. The CPE identifier cpe:2.3:a:@fastify/accepts-serializer:@fastify/accepts-serializer confirms the affected component is the npm package itself, impacting any Fastify application using this plugin for content negotiation.
RemediationAI
Upgrade @fastify/accepts-serializer to version 6.0.4 or later, which implements an LRU (Least Recently Used) cache with default 100-entry limit as documented in GitHub advisory GHSA-qxhc-wx3p-2wmg. Update package.json dependency and run npm install or yarn install, then restart Node.js processes. If immediate upgrade is blocked, implement compensating controls: (1) deploy reverse proxy (nginx, Cloudflare) to normalize/limit Accept header variations before reaching Node.js backend - configure max header size of 4KB and rate-limit distinct header patterns per IP (trade-off: complex regex rules, potential legitimate traffic blocking); (2) enable Node.js --max-old-space-size flag with monitoring to detect heap exhaustion before crash and trigger graceful restart (trade-off: service interruption still occurs, just more controlled); (3) restrict application exposure to authenticated clients only via API gateway (trade-off: eliminates public API use cases). Primary fix of upgrading to 6.0.4 has no known side effects and maintains backward compatibility while adding configurable cacheSize option for custom tuning.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27131
GHSA-qxhc-wx3p-2wmg