Vulnerability Description
Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation. This issue has been patched in version 5.7.3.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Fastify | Fastify | < 5.7.3 |
Related Weaknesses (CWE)
References
- https://github.com/fastify/fastify/commit/eb11156396f6a5fedaceed0140aed2b7f026bePatch
- https://github.com/fastify/fastify/security/advisories/GHSA-mrq3-vjjr-p77cVendor Advisory
- https://hackerone.com/reports/3524779Permissions Required
FAQ
What is CVE-2026-25224?
CVE-2026-25224 is a vulnerability with a CVSS score of 3.7 (LOW). Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust...
How severe is CVE-2026-25224?
CVE-2026-25224 has been rated LOW with a CVSS base score of 3.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-25224?
Check the references section above for vendor advisories and patch information. Affected products include: Fastify Fastify.