@Fastify/Accepts-Serializer (<= 6.0.3) — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/@fastify/accepts-serializer--6.0.3/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 08 May 2026 17:13:38 +0000Fastify accepts-serializer Denial of Service via Unbounded Accept Header Cache Growthhttps://feed.craftedsignal.io/briefs/2024-01-fastify-dos/Fri, 08 May 2026 17:13:38 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-fastify-dos/The @fastify/accepts-serializer package is vulnerable to a denial of service (DoS) attack due to unbounded cache growth, where an attacker can send many distinct Accept header variants, causing the cache to grow unbounded, exhausting the Node.js heap, and crashing the process.The @fastify/accepts-serializer package, versions 6.0.3 and earlier, is susceptible to a denial-of-service (DoS) vulnerability. This vulnerability arises from the package’s caching mechanism for serializer-selection results, which are keyed by the request’s Accept header. The cache lacks both a size limit and an eviction policy, making it vulnerable to unbounded growth. An unauthenticated attacker can exploit this by sending numerous distinct Accept header variants. Under sustained load, this can exhaust the Node.js heap memory, ultimately causing the process to crash. Defenders should upgrade to version 6.0.4 or later where the cache is bounded.

Attack Chain

  1. An attacker identifies a Fastify application utilizing the @fastify/accepts-serializer package version 6.0.3 or earlier.
  2. The attacker crafts HTTP requests with unique variations of the Accept header.
  3. These requests are sent to the target Fastify application.
  4. The @fastify/accepts-serializer package caches the serializer selection result based on the unique Accept header received in each request.
  5. The attacker floods the application with a high volume of requests, each containing a slightly different Accept header.
  6. The cache grows without bounds, consuming an increasing amount of memory.
  7. The Node.js heap becomes exhausted due to the unbounded cache growth.
  8. The Fastify application crashes, resulting in a denial of service.

Impact

Successful exploitation of this vulnerability leads to a denial-of-service condition, rendering the affected Fastify application unavailable. The impact depends on the criticality of the application; a critical service outage can cause significant disruption and financial losses. While the exact number of affected applications is unknown, any Fastify application using a vulnerable version of @fastify/accepts-serializer is susceptible. An attacker can trigger the crash with a relatively small number of requests per second, making detection challenging.

Recommendation

  • Upgrade to @fastify/accepts-serializer version 6.0.4 or later to patch CVE-2026-7768.
  • Monitor web server logs for a sudden increase in requests with diverse Accept headers, using a rule based on the webserver category, to detect potential exploitation attempts.
  • Implement resource monitoring on systems running Fastify applications to detect abnormal memory usage patterns indicative of the DoS attack.
]]>mediumadvisorydosdenial-of-servicefastify