Manuel Spigolon

**Name of the Vulnerable Software and Affected Versions** @fastify/accepts-serializer versions prior to 6.0.4 **Description** An issue exists where serializer-selection results are cached using the request `Accept` header as a key without a size limit or eviction policy. A remote unauthenticated client can send numerous distinct but matching `Accept` header variants, causing the cache to grow unbounded. This can lead to the exhaustion of the Node.js heap and result in a process crash, causing a Denial of Service (DoS). **Recommendations** Update to version 6.0.4 or later.