216.73.216.133

CVE-2026-7768

· Published 04/05/2026 20:16 · Modified 04/05/2026 20:16

Labels: CVE-2026-7768 2026-05-04CVE-2026-7768CWE-770ce714d77-add3-4f53-aff5-83d477b104bb

Essential information

Published
04/05/2026 20:16
Modified
04/05/2026 20:16
Author
Creator
CVSS
7.5 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS metrics

Description

@fastify/accepts-serializer cached serializer-selection results keyed by the request Accept header without a size limit or eviction policy. A remote unauthenticated client could send many distinct but matching Accept header variants to make the cache grow unbounded, eventually exhausting the Node.js heap and crashing the process. Versions <= 6.0.3 are affected. Update to 6.0.4 or later, which bounds the cache via an LRU with a default size of 100 entries, configurable through the new cacheSize plugin option.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
ce714d77-add3-4f53-aff5-83d477b104bb
NVD
View on NVD

Affected products (CPE)

ProductCPE
fastify / accepts-serializer cpe:2.3:a:fastify:accepts-serializer:<6.0.4:*:*:*:*:*:*:*

References