CVE-2026-25224 – Fastify Vulnerable to DoS via Unbounded Memory Allocation in sendWebStream

CVE ID : CVE-2026-25224

Published : Feb. 3, 2026, 10:16 p.m. | 1 hour, 2 minutes ago

Description : Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation. This issue has been patched in version 5.7.3.

Severity: 3.7 | LOW

Visit the link for more details, such as CVSS details, affected products, timeline, and more…