CVE-2026-7768

7.5 HIGH

@fastify/accepts-serializer cached serializer-selection results keyed by the request Accept header without a size limit or eviction policy

Published: 2026-05-04 · Last updated: 2026-05-29

Severity and scoring

CVSS: 7.5 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-770

Affected products

Vendor	Product
fastify	fastify\/accepts-serializer

Description

@fastify/accepts-serializer cached serializer-selection results keyed by the request Accept header without a size limit or eviction policy. A remote unauthenticated client could send many distinct but matching Accept header variants to make the cache grow unbounded, eventually exhausting the Node.js heap and crashing the process. Versions <= 6.0.3 are affected. Update to 6.0.4 or later, which bounds the cache via an LRU with a default size of 100 entries, configurable through the new cacheSize plugin option.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-7768
[Vendor advisory]https://cna.openjsf.org/security-advisories.html
[Vendor advisory]https://github.com/fastify/fastify-accepts-serializer/security/advisories/GHSA-qxhc-wx3p-2wmg

Related CVEs

Same vendor

CVE-2026-33805 — @fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the prox... (8.6 HIGH)
CVE-2026-33808 — Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normaliza... (9.1 CRITICAL)
CVE-2026-33807 — @fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled wh... (9.1 CRITICAL)

Same CWE

CVE-2026-53781 — Summarize before 0.17.0 contains a resource exhaustion vulnerability that allows remote attackers to cause disk exhaustion by serving med... (4.3 MEDIUM)
CVE-2026-45802 — FPDI is a collection of PHP classes that facilitate reading pages from existing PDF documents and using them as templates in FPDF
CVE-2026-44488 — Axios is a promise based HTTP client for the browser and Node.js (7.5 HIGH)
CVE-2026-7250 — GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19... (7.5 HIGH)
CVE-2026-53423 — Allocation of Resources Without Limits or Throttling vulnerability in membraneframework membrane_mp4_plugin allows unauthenticated denial...