CVE-2026-7768
Published: 04 May 2026
Description
@fastify/accepts-serializer cached serializer-selection results keyed by the request Accept header without a size limit or eviction policy. A remote unauthenticated client could send many distinct but matching Accept header variants to make the cache grow unbounded, eventually exhausting the Node.js…
more
heap and crashing the process. Versions <= 6.0.3 are affected. Update to 6.0.4 or later, which bounds the cache via an LRU with a default size of 100 entries, configurable through the new cacheSize plugin option.
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
This control implements explicit throttling on session allocation, addressing the weakness of allocating resources without limits.
Plan testing exercises resource allocation limits and throttling during simulated failures, directly addressing weaknesses that allow unbounded resource use.
Contingency plan updates ensure recovery strategies address unbounded resource allocation, making it harder for attackers to exploit lack of throttling to cause prolonged outages.
Provides continuity when unbounded resource allocation at the primary site leads to exhaustion and downtime.
Alternate services allow operations to continue when primary allocation of resources lacks limits or throttling.
Explicit planning of security-related actions requires defining limits, windows, and resource allocations, making allocation without throttling far less likely.
Measures of performance include tracking allocation behavior and throttling effectiveness, reducing the window for resource exhaustion attacks.
Imposes an inactivity-based limit on network resource allocation, throttling the number of concurrently held connections.
Security SummaryAI
CVE-2026-7768 is a vulnerability in the @fastify/accepts-serializer plugin for Fastify, affecting versions up to and including 6.0.3. The plugin caches serializer-selection results keyed solely by the request's Accept header without any size limit or eviction policy. This design flaw allows the cache to grow unbounded under certain conditions, leading to exhaustion of the Node.js heap and subsequent process crashes.
A remote unauthenticated attacker can exploit this vulnerability by sending a high volume of requests with distinct but matching Accept header variants. Each unique variant populates a new cache entry, causing rapid memory consumption until the Node.js heap is depleted, resulting in a denial-of-service that crashes the affected server process. The CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) underscores its network accessibility and high availability impact, mapped to CWE-770 (Allocation of Resources Without Limits or Throttling).
Advisories recommend updating to version 6.0.4 or later, which introduces an LRU cache with a default size limit of 100 entries, configurable via the new cacheSize plugin option. Details are provided in the OpenJSF CNA security advisories at https://cna.openjsf.org/security-advisories.html and the GitHub advisory at https://github.com/fastify/fastify-accepts-serializer/security/advisories/GHSA-qxhc-wx3p-2wmg.
Details
- CWE(s)
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The unbounded cache (CWE-770) is directly exploitable by an unauthenticated remote attacker sending crafted Accept-header variants, causing heap exhaustion and process crash; this precisely matches T1499.004 Application or System Exploitation under Endpoint Denial of Service.