Perceptive Security
SOC/SIEM Consultancy
@fastify/accepts-serializer cached serializer-selection results keyed by the request Accept header without a size limit or eviction policy. A remote unauthentic…
Published:
3 May 2026 at 22:00:00
Alert date:
4 May 2026 at 21:01:39
Source:
nvd.nist.gov
Web Technologies, Supply Chain & Dependencies
CVE-2026-7768 affects @fastify/accepts-serializer versions 6.0.3 and below. The vulnerability allows remote unauthenticated attackers to cause denial of service by sending many distinct Accept header variants. This causes unbounded cache growth, eventually exhausting Node.js heap memory and crashing the process. The issue stems from cached serializer-selection results without size limits or eviction policies. Fixed in version 6.0.4 with LRU cache implementation limiting entries to 100 by default. The cacheSize plugin option allows configuration of cache limits.
Technical details
Mitigation steps:
Affected products:
@fastify/accepts-serializer
Node.js
Related links:
https://nvd.nist.gov/vuln/detail/CVE-2026-7768
https://cna.openjsf.org/security-advisories.html
https://github.com/fastify/fastify-accepts-serializer/security/advisories/GHSA-qxhc-wx3p-2wmg
Related CVE's:
Related threat actors:
IOC's:
This article was created with the assistance of AI technology by Perceptive.