Plateforme
nodejs
Composant
fastify
Corrigé dans
5.7.4
5.7.4
5.7.3
CVE-2026-25224 describes a Denial of Service (DoS) vulnerability within Fastify's Web Streams response handling. A malicious or slow client can trigger unbounded buffering when backpressure is ignored, potentially causing process crashes or significant performance degradation. This vulnerability impacts applications using Fastify 5.x and can be resolved by upgrading to version 5.7.3 or later.
The core impact of CVE-2026-25224 lies in its potential to exhaust server memory. An attacker can craft a request that utilizes Fastify's Web Streams response handling in a way that prevents the server from properly managing backpressure. This leads to the server continuously buffering data intended for a slow or unresponsive client. Over time, this unbounded buffering can consume all available memory, resulting in a denial of service. The blast radius extends to any application relying on Fastify for its web server functionality, particularly those utilizing reply.send() with ReadableStream or Response bodies. While no active exploitation has been publicly reported, the ease of triggering the vulnerability makes it a potential target for opportunistic attacks.
CVE-2026-25224 is not currently listed on the CISA KEV catalog. The EPSS score is likely low due to the requirement of crafting a specific request to trigger the vulnerability and the lack of public exploits. A public proof-of-concept is not yet available, but the vulnerability's nature suggests it could be relatively easy to exploit once a PoC is developed. The vulnerability was disclosed on 2026-02-02.
Applications built with Fastify 5.x that utilize Web Streams for response handling are at risk. This includes applications serving large files or streaming data, particularly those deployed in environments with limited resources or where input validation is insufficient. Shared hosting environments running Fastify applications are also potentially vulnerable.
• nodejs / server:
ps aux | grep -i fastify | grep -i 'readableStream'• nodejs / server:
journalctl -u fastify -f | grep -i 'backpressure'• generic web: Use a load testing tool (e.g., ApacheBench) to send a large, slow stream to Fastify endpoints and monitor server memory usage. Look for sustained increases in memory consumption.
disclosure
Statut de l'Exploit
EPSS
0.02% (percentile 4%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-25224 is to upgrade Fastify to version 5.7.3 or later, which includes the fix. If immediate upgrading is not feasible, a workaround involves avoiding the use of Web Streams in Fastify responses. Specifically, refrain from sending ReadableStream objects or Response objects with Web Stream bodies via reply.send(). Consider alternative response formats like plain text or JSON. While not a complete solution, this can significantly reduce the attack surface. There are no specific WAF rules or detection signatures readily available for this vulnerability, as it stems from application-level behavior. After upgrading, confirm the fix by sending a large, slow stream to the Fastify endpoint and monitoring server memory usage.
Actualice Fastify a la versión 5.7.3 o superior. Esto solucionará la vulnerabilidad de denegación de servicio causada por la asignación de memoria sin límites en sendWebStream. La actualización evitará que un cliente lento o que no lee provoque un consumo excesivo de memoria en el servidor.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-25224 is a Denial of Service vulnerability in Fastify's Web Streams response handling. A slow client can exhaust server memory, potentially causing crashes.
If you are using Fastify 5.x and utilize Web Streams for response handling, you are potentially affected. Upgrade to 5.7.3 or later to mitigate the risk.
Upgrade Fastify to version 5.7.3 or later. As a temporary workaround, avoid using Web Streams in your responses.
There are no confirmed reports of active exploitation at this time, but the vulnerability's nature makes it a potential target.
Refer to the Fastify project's security advisories on their GitHub repository: [https://github.com/fastify/fastify/security/advisories](https://github.com/fastify/fastify/security/advisories)
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.