cvedb.io
CVE-2026-25224
LOW · CVSS 3.7
EPSS exploitation probability: 0%
Published 2026-02-03T22:16:31.290 · Last modified 2026-06-17T10:24:20.147

Summary

Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation. This issue has been patched in version 5.7.3.

Affected products

fastify — fastify

Does this affect you?

Add your gear to cvedb and we'll alert you only when fastify ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.