GHSA-MRQ3-VJJR-P77C

Vulnerability from github – Published: 2026-02-02 22:25 – Updated: 2026-02-04 17:46
VLAI?
Summary
Fastify Vulnerable to DoS via Unbounded Memory Allocation in sendWebStream
Details

Impact

A Denial of Service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation.

Patches

The issue is fixed in Fastify 5.7.3. Users should upgrade to 5.7.3 or later.

Workarounds

Avoid sending Web Streams from Fastify responses (e.g., ReadableStream or Response bodies). Use Node.js streams (stream.Readable) or buffered payloads instead until the project can upgrade.

References

  • https://hackerone.com/reports/3524779
Severity ?
3.7 (Low)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.7.2"
      },
      "package": {
        "ecosystem": "npm",
        "name": "fastify"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.7.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25224"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-02T22:25:05Z",
    "nvd_published_at": "2026-02-03T22:16:31Z",
    "severity": "LOW"
  },
  "details": "### Impact\nA Denial of Service vulnerability in Fastify\u2019s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a `ReadableStream` (or `Response` with a Web Stream body) via `reply.send()` are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation.\n\n### Patches\nThe issue is fixed in Fastify 5.7.3. Users should upgrade to 5.7.3 or later.\n\n### Workarounds\nAvoid sending Web Streams from Fastify responses (e.g., `ReadableStream` or `Response` bodies). Use Node.js streams (`stream.Readable`) or buffered payloads instead until the project can upgrade.\n\n### References\n- https://hackerone.com/reports/3524779",
  "id": "GHSA-mrq3-vjjr-p77c",
  "modified": "2026-02-04T17:46:06Z",
  "published": "2026-02-02T22:25:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/fastify/fastify/security/advisories/GHSA-mrq3-vjjr-p77c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25224"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fastify/fastify/commit/eb11156396f6a5fedaceed0140aed2b7f026be37"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/3524779"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/fastify/fastify"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Fastify Vulnerable to DoS via Unbounded Memory Allocation in sendWebStream"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.