Platform
nodejs
Component
fastify
Fixed in
5.7.4
5.7.4
5.7.3
CVE-2026-25224 describes a Denial of Service (DoS) vulnerability within Fastify's Web Streams response handling. A malicious or slow client can trigger unbounded buffering when backpressure is ignored, potentially causing process crashes or significant performance degradation. This vulnerability impacts applications using Fastify 5.x and can be resolved by upgrading to version 5.7.3 or later.
The core impact of CVE-2026-25224 lies in its potential to exhaust server memory. An attacker can craft a request that utilizes Fastify's Web Streams response handling in a way that prevents the server from properly managing backpressure. This leads to the server continuously buffering data intended for a slow or unresponsive client. Over time, this unbounded buffering can consume all available memory, resulting in a denial of service. The blast radius extends to any application relying on Fastify for its web server functionality, particularly those utilizing reply.send() with ReadableStream or Response bodies. While no active exploitation has been publicly reported, the ease of triggering the vulnerability makes it a potential target for opportunistic attacks.
CVE-2026-25224 is not currently listed on the CISA KEV catalog. The EPSS score is likely low due to the requirement of crafting a specific request to trigger the vulnerability and the lack of public exploits. A public proof-of-concept is not yet available, but the vulnerability's nature suggests it could be relatively easy to exploit once a PoC is developed. The vulnerability was disclosed on 2026-02-02.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-25224 is to upgrade Fastify to version 5.7.3 or later, which includes the fix. If immediate upgrading is not feasible, a workaround involves avoiding the use of Web Streams in Fastify responses. Specifically, refrain from sending ReadableStream objects or Response objects with Web Stream bodies via reply.send(). Consider alternative response formats like plain text or JSON. While not a complete solution, this can significantly reduce the attack surface. There are no specific WAF rules or detection signatures readily available for this vulnerability, as it stems from application-level behavior. After upgrading, confirm the fix by sending a large, slow stream to the Fastify endpoint and monitoring server memory usage.
Update Fastify to version 5.7.3 or later. This will fix the denial of service vulnerability caused by unbounded memory allocation in sendWebStream. The update will prevent a slow or non-reading client from causing excessive memory consumption on the server.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-25224 is a Denial of Service vulnerability in Fastify's Web Streams response handling. A slow client can exhaust server memory, potentially causing crashes.
If you are using Fastify 5.x and utilize Web Streams for response handling, you are potentially affected. Upgrade to 5.7.3 or later to mitigate the risk.
Upgrade Fastify to version 5.7.3 or later. As a temporary workaround, avoid using Web Streams in your responses.
There are no confirmed reports of active exploitation at this time, but the vulnerability's nature makes it a potential target.
Refer to the Fastify project's security advisories on their GitHub repository: [https://github.com/fastify/fastify/security/advisories](https://github.com/fastify/fastify/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.