Denial-of-Service Vulnerability in Fastify Web Framework for Node.js
CVE-2026-25224

3.7LOW

Key Information:

Vendor

Fastify

Status
Fastify
Vendor
CVE Published:
3 February 2026

What is CVE-2026-25224?

The Fastify web framework for Node.js has a vulnerability related to its handling of Web Streams responses. Prior to version 5.7.3, applications that return a ReadableStream or a Response with a Web Stream body using reply.send() are at risk. This scenario can lead to unbounded memory buffering when backpressure is not adequately managed, allowing a remote attacker to exhaust server memory. As a result, this may cause process crashes or significantly degrade performance. This issue has been resolved in version 5.7.3.

Affected Version(s)

fastify < 5.7.3

References

https://github.com/fastify/fastify/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/fastify/fastify/commit/eb11156396f6a5f...
x_refsource_MISC
https://hackerone.com/reports/3524779
x_refsource_MISC

CVSS V3.1

Score:
3.7
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.