{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/@fastify/accepts-serializer--6.0.3/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-7768"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["@fastify/accepts-serializer (\u003c= 6.0.3)"],"_cs_severities":["medium"],"_cs_tags":["dos","denial-of-service","fastify"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003e@fastify/accepts-serializer\u003c/code\u003e package, versions 6.0.3 and earlier, is susceptible to a denial-of-service (DoS) vulnerability. This vulnerability arises from the package\u0026rsquo;s caching mechanism for serializer-selection results, which are keyed by the request\u0026rsquo;s \u003ccode\u003eAccept\u003c/code\u003e header. The cache lacks both a size limit and an eviction policy, making it vulnerable to unbounded growth. An unauthenticated attacker can exploit this by sending numerous distinct \u003ccode\u003eAccept\u003c/code\u003e header variants. Under sustained load, this can exhaust the Node.js heap memory, ultimately causing the process to crash. Defenders should upgrade to version 6.0.4 or later where the cache is bounded.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a Fastify application utilizing the \u003ccode\u003e@fastify/accepts-serializer\u003c/code\u003e package version 6.0.3 or earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts HTTP requests with unique variations of the \u003ccode\u003eAccept\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eThese requests are sent to the target Fastify application.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e@fastify/accepts-serializer\u003c/code\u003e package caches the serializer selection result based on the unique \u003ccode\u003eAccept\u003c/code\u003e header received in each request.\u003c/li\u003e\n\u003cli\u003eThe attacker floods the application with a high volume of requests, each containing a slightly different \u003ccode\u003eAccept\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eThe cache grows without bounds, consuming an increasing amount of memory.\u003c/li\u003e\n\u003cli\u003eThe Node.js heap becomes exhausted due to the unbounded cache growth.\u003c/li\u003e\n\u003cli\u003eThe Fastify application crashes, resulting in a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability leads to a denial-of-service condition, rendering the affected Fastify application unavailable. The impact depends on the criticality of the application; a critical service outage can cause significant disruption and financial losses. While the exact number of affected applications is unknown, any Fastify application using a vulnerable version of \u003ccode\u003e@fastify/accepts-serializer\u003c/code\u003e is susceptible. An attacker can trigger the crash with a relatively small number of requests per second, making detection challenging.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003e@fastify/accepts-serializer\u003c/code\u003e version 6.0.4 or later to patch CVE-2026-7768.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for a sudden increase in requests with diverse \u003ccode\u003eAccept\u003c/code\u003e headers, using a rule based on the \u003ccode\u003ewebserver\u003c/code\u003e category, to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement resource monitoring on systems running Fastify applications to detect abnormal memory usage patterns indicative of the DoS attack.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-08T17:13:38Z","date_published":"2026-05-08T17:13:38Z","id":"/briefs/2024-01-fastify-dos/","summary":"The @fastify/accepts-serializer package is vulnerable to a denial of service (DoS) attack due to unbounded cache growth, where an attacker can send many distinct Accept header variants, causing the cache to grow unbounded, exhausting the Node.js heap, and crashing the process.","title":"Fastify accepts-serializer Denial of Service via Unbounded Accept Header Cache Growth","url":"https://feed.craftedsignal.io/briefs/2024-01-fastify-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — @Fastify/Accepts-Serializer (\u003c= 6.0.3)","version":"https://jsonfeed.org/version/1.1"}