CVE-2026-25224
⚪ Do wiadomości
W Fastify występuje luka DoS, która pozwala na wyczerpanie pamięci serwera przez zdalnego klienta.
CVSS
3.7
EPSS
0.5%
Exploit
none
Vendor
fastify
Opis źródłowy (NVD)
Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation. This issue has been patched in version 5.7.3.
brak
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 3.7 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 0.5% |
| Opublikowano (NVD) | 2026-02-03 22:16:31 UTC |
| Ostatnia modyfikacja (NVD) | 2026-06-17 10:24:20 UTC |
Referencje
- https://github.com/fastify/fastify/commit/eb11156396f6a5fedaceed0140aed2b7f026be37 (security-advisories@github.com) [Patch]
- https://github.com/fastify/fastify/security/advisories/GHSA-mrq3-vjjr-p77c (security-advisories@github.com) [Vendor Advisory]
- https://hackerone.com/reports/3524779 (security-advisories@github.com) [Permissions Required]