PT-2026-36915 · Npm · @Fastify/Accepts-Serializer
Manuel Spigolon
+2
·
Published
2026-05-04
·
Updated
2026-05-04
·
CVE-2026-7768
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
@fastify/accepts-serializer versions prior to 6.0.4
Description
An issue exists where serializer-selection results are cached using the request
Accept header as a key without a size limit or eviction policy. A remote unauthenticated client can send numerous distinct but matching Accept header variants, causing the cache to grow unbounded. This can lead to the exhaustion of the Node.js heap and result in a process crash, causing a Denial of Service (DoS).Recommendations
Update to version 6.0.4 or later.
Fix
DoS
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
@Fastify/Accepts-Serializer