CVE-2026-25224

Description

### Impact A Denial of Service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a `ReadableStream` (or `Response` with a Web Stream body) via `reply.send()` are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation. ### Patches The issue is fixed in Fastify 5.7.3. Users should upgrade to 5.7.3 or later. ### Workarounds Avoid sending Web Streams from Fastify responses (e.g., `ReadableStream` or `Response` bodies). Use Node.js streams (`stream.Readable`) or buffered payloads instead until the project can upgrade. ### References - https://hackerone.com/reports/3524779

How to fix CVE-2026-25224

To remediate CVE-2026-25224, upgrade the affected package to a fixed version below.

• —upgrade to 5.7.3 or later

Is CVE-2026-25224 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 5.7.3

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-25224
• PATCHgithub.com/fastify/fastify
• WEBgithub.com/fastify/fastify/commit/eb11156396f6a5fedaceed0140aed2b7f026be37
• WEBgithub.com/fastify/fastify/security/advisories/GHSA-mrq3-vjjr-p77c
• WEB