CVE-2026-7768

Published: Mag 04, 2026 Last Modified: Mag 04, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 7,5

Source: ce714d77-add3-4f53-aff5-83d477b104bb

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Scope: unchanged

Confidentiality: none

Integrity: none

Availability: high

Description

AI Translation Available

@fastify/accepts-serializer cached serializer-selection results keyed by the request Accept header without a size limit or eviction policy. A remote unauthenticated client could send many distinct but matching Accept header variants to make the cache grow unbounded, eventually exhausting the Node.js heap and crashing the process. Versions <= 6.0.3 are affected. Update to 6.0.4 or later, which bounds the cache via an LRU with a default size of 100 entries, configurable through the new cacheSize plugin option.

770

Allocation of Resources Without Limits or Throttling

Incomplete

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Availability

Potential Impacts:

Dos: Resource Consumption (Cpu) Dos: Resource Consumption (Memory) Dos: Resource Consumption (Other)

Applicable Platforms

All platforms may be affected

Likelihood of Exploit: High

View CWE Details

https://cna.openjsf.org/security-advisories.html

https://github.com/fastify/fastify-accepts-serializer/secur…

https://github.com/fastify/fastify-accepts-serializer/security/advisories/GHSA-…

CVE-2026-7768

Description

Allocation of Resources Without Limits or Throttling

Common Consequences

Applicable Platforms

Iscriviti alla newsletter