@fastify/accepts-serializer cached serializer-selection results keyed by the request Accept header without a size limit or eviction policy. A remote unauthentic…

CVE-2026-7768 affects @fastify/accepts-serializer versions 6.0.3 and below. The vulnerability allows remote unauthenticated attackers to cause denial of service by sending many distinct Accept header variants. This causes unbounded cache growth, eventually exhausting Node.js heap memory and crashing the process. The issue stems from cached serializer-selection results without size limits or eviction policies. Fixed in version 6.0.4 with LRU cache implementation limiting entries to 100 by default. The cacheSize plugin option allows configuration of cache limits.