CVE-2026-25224

Name of the Vulnerable Software and Affected Versions Fastify versions prior to 5.7.3

Description Fastify is a web framework for Node.js. A denial-of-service condition exists in Fastify’s Web Streams response handling. A slow or non-reading client can cause unbounded buffering when backpressure is ignored, potentially leading to process crashes or significant performance degradation. Applications utilizing reply.send() to return a ReadableStream or a Response with a Web Stream body are susceptible. The issue can allow a remote client to exhaust server memory.

Recommendations Versions prior to 5.7.3 should be upgraded to version 5.7.3 or later. As a workaround, avoid sending Web Streams from Fastify responses (e.g., ReadableStream or Response bodies). Use Node.js streams (stream.Readable) or buffered payloads instead.