Description
@fastify/accepts-serializer cached serializer-selection results keyed by the request Accept header without a size limit or eviction policy. A remote unauthenticated client could send many distinct but matching Accept header variants to make the cache grow unbounded, eventually exhausting the Node.js heap and crashing the process. Versions <= 6.0.3 are affected. Update to 6.0.4 or later, which bounds the cache via an LRU with a default size of 100 entries, configurable through the new cacheSize plugin option.
Published: 2026-05-04
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unbounded cache of serializer‑selection results keyed by the Accept HTTP header can grow indefinitely. A remote, unauthenticated client can send many distinct but matching Accept header variants, causing the Node.js heap to be exhausted and the process to crash. The weakness is a memory‑allocation flaw (CWE‑770).

Affected Systems

@fastify/accepts-serializer, versions <=6.0.3. The issue affects all Node.js applications that use this package. Upgrade to 6.0.4 or later, which limits the cache with an LRU policy of 100 entries by default, or configure the cacheSize option.

Risk and Exploitability

The vulnerability has a CVSS score of 7.5, indicating a high impact. No EPSS data is available and the flaw is not listed in the CISA KEV catalog. A remote attacker can trigger the denial of service simply by sending fabricated Accept headers over HTTP, without authentication. The lack of a safeguard allows the cache to grow until the process fails, leading to service interruption.

Generated by OpenCVE AI on May 4, 2026 at 20:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update @fastify/accepts-serializer to version 6.0.4 or newer to enforce the bounded LRU cache.
  • If an immediate upgrade is not possible, configure the plugin's cacheSize option to a smaller value to reduce memory usage.
  • Monitor the Node.js process for heap exhaustion and employ rate limiting or application-level header validation to limit Accept header diversity.

Generated by OpenCVE AI on May 4, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 04 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description @fastify/accepts-serializer cached serializer-selection results keyed by the request Accept header without a size limit or eviction policy. A remote unauthenticated client could send many distinct but matching Accept header variants to make the cache grow unbounded, eventually exhausting the Node.js heap and crashing the process. Versions <= 6.0.3 are affected. Update to 6.0.4 or later, which bounds the cache via an LRU with a default size of 100 entries, configurable through the new cacheSize plugin option.
Title @fastify/accepts-serializer vulnerable to Denial of Service via Unbounded Accept Header Cache Growth
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: openjs

Published:

Updated: 2026-05-04T19:50:16.465Z

Reserved: 2026-05-04T11:50:02.918Z

Link: CVE-2026-7768

cve-icon Vulnrichment

Updated: 2026-05-04T19:50:12.504Z

cve-icon NVD

Status : Received

Published: 2026-05-04T20:16:21.107

Modified: 2026-05-04T20:16:21.107

Link: CVE-2026-7768

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T20:30:08Z

Weaknesses