Unbounded Cache Vulnerability in Fastify Accepts Serializer
CVE-2026-7768

7.5HIGH

Key Information:

Vendor: @fastify/accepts-serializer
Status: @fastify/accepts-serializer
Vendor: CVE Published:; 4 May 2026

🔔 Create @fastify/accepts-serializer Vulnerability Alert

What is CVE-2026-7768?

The Fastify accepts-serializer component suffers from a vulnerability where cached serializer-selection results, based on request Accept headers, are stored without imposed limits. This flaw can be exploited by remote unauthenticated clients who can manipulate Accept headers to generate numerous variants, leading the cache to expand indefinitely. Such cache growth can ultimately exhaust the Node.js heap memory, resulting in a crash of the running process. Users are advised to upgrade to version 6.0.4 or higher, which introduces a bounded Least Recently Used (LRU) cache mechanism, restricting the size to a default of 100 entries, but configurable via a new cacheSize option.

Affected Version(s)

@fastify/accepts-serializer 0 < 6.0.4

@fastify/accepts-serializer 6.0.4

References

https://cna.openjsf.org/security-advisories.html

https://github.com/fastify/fastify-accepts-serializer/sec...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 4, 2026
Vulnerability Reserved
May 4, 2026

Credit

Yuki Matsuhashi

Ulises Gascón

Manuel Spigolon

CVE-2026-7768 Data

JSON