{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25224", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-30T14:44:47.327Z", "datePublished": "2026-02-03T21:21:35.437Z", "dateUpdated": "2026-02-04T16:20:32.845Z"}, "containers": {"cna": {"title": "Fastify Vulnerable to DoS via Unbounded Memory Allocation in sendWebStream", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/fastify/fastify/security/advisories/GHSA-mrq3-vjjr-p77c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/fastify/fastify/security/advisories/GHSA-mrq3-vjjr-p77c"}, {"name": "https://github.com/fastify/fastify/commit/eb11156396f6a5fedaceed0140aed2b7f026be37", "tags": ["x_refsource_MISC"], "url": "https://github.com/fastify/fastify/commit/eb11156396f6a5fedaceed0140aed2b7f026be37"}, {"name": "https://hackerone.com/reports/3524779", "tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/3524779"}], "affected": [{"vendor": "fastify", "product": "fastify", "versions": [{"version": "< 5.7.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-03T21:21:35.437Z"}, "descriptions": [{"lang": "en", "value": "Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify\u2019s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation. This issue has been patched in version 5.7.3."}], "source": {"advisory": "GHSA-mrq3-vjjr-p77c", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-04T16:20:26.988188Z", "id": "CVE-2026-25224", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T16:20:32.845Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25224", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-04T16:20:26.988188Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T16:20:29.894Z"}}], "cna": {"title": "Fastify Vulnerable to DoS via Unbounded Memory Allocation in sendWebStream", "source": {"advisory": "GHSA-mrq3-vjjr-p77c", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "fastify", "product": "fastify", "versions": [{"status": "affected", "version": "< 5.7.3"}]}], "references": [{"url": "https://github.com/fastify/fastify/security/advisories/GHSA-mrq3-vjjr-p77c", "name": "https://github.com/fastify/fastify/security/advisories/GHSA-mrq3-vjjr-p77c", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/fastify/fastify/commit/eb11156396f6a5fedaceed0140aed2b7f026be37", "name": "https://github.com/fastify/fastify/commit/eb11156396f6a5fedaceed0140aed2b7f026be37", "tags": ["x_refsource_MISC"]}, {"url": "https://hackerone.com/reports/3524779", "name": "https://hackerone.com/reports/3524779", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify\u2019s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation. This issue has been patched in version 5.7.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-03T21:21:35.437Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25224", "state": "PUBLISHED", "dateUpdated": "2026-02-04T16:20:32.845Z", "dateReserved": "2026-01-30T14:44:47.327Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-03T21:21:35.437Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fastify:fastify:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "70F0A157-C97E-4AB3-8B64-D6B21301B2DD", "versionEndExcluding": "5.7.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify\u2019s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation. This issue has been patched in version 5.7.3."}], "id": "CVE-2026-25224", "lastModified": "2026-02-10T19:24:48.703", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-03T22:16:31.290", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/fastify/fastify/commit/eb11156396f6a5fedaceed0140aed2b7f026be37"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/fastify/fastify/security/advisories/GHSA-mrq3-vjjr-p77c"}, {"source": "security-advisories@github.com", "tags": ["Permissions Required"], "url": "https://hackerone.com/reports/3524779"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "Fastify: Fastify: Denial of Service via unbounded buffering in Web Streams response handling", "id": "2436557", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2436557"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-770", "details": ["A flaw was found in Fastify. A remote client can exploit this denial-of-service vulnerability by sending a slow or non-reading request when the application returns a ReadableStream (or Response with a Web Stream body) via reply.send(). This can lead to unbounded buffering, exhausting server memory. The consequence is a Denial of Service (DoS), potentially causing process crashes or severe degradation of the server."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-25224", "package_state": [{"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/disk-image-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-dashboard-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-dashboard-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-mod-arch-gen-ai-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-mod-arch-model-registry-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Fix deferred", "package_name": "devspaces/dashboard-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}], "public_date": "2026-02-03T21:21:35Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-25224\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-25224\nhttps://github.com/fastify/fastify/commit/eb11156396f6a5fedaceed0140aed2b7f026be37\nhttps://github.com/fastify/fastify/security/advisories/GHSA-mrq3-vjjr-p77c\nhttps://hackerone.com/reports/3524779"], "statement": "LOW. A denial-of-service flaw exists in Fastify's Web Streams response handling. This issue can lead to unbounded buffering and memory exhaustion when a remote client sends a slow or non-reading request to an application that uses `reply.send()` with a `ReadableStream` or `Response` with a Web Stream body. Red Hat products utilizing Fastify in this configuration are affected.", "threat_severity": "Low"}

{"analysis": {"en": {"generated_at": "2026-04-18T00:00:54.686232+00:00", "value": {"mitigation_remediation": ["Upgrade Fastify to version 5.7.3 or later", "Modify any reply.send() stream usage to enforce backpressure or apply size limits", "Add monitoring to detect high memory usage patterns and trigger alerts"], "summary": {"action": "Apply Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The Fastify web framework for Node.js is affected. Versions before 5.7.3 are vulnerable. Applications that return a ReadableStream (or a Response with a Web Stream body) via reply.send() are impacted.", "description_and_impact": "Fastify\u2019s Web Streams response handling allows a remote client to exhaust process memory. A request that streams data slowly or that does not read the response triggers unbounded buffering because backpressure is ignored, leading to crashes or severe degradation. The vulnerability is an example of uncontrolled resource consumption (CWE-770) and results in a denial\u2011of\u2011service scenario where an attacker can force the application to run out of memory.", "risk_and_exploitability": "The CVSS score is 3.7 (low), EPSS is under 1% and the vulnerability is not listed in the KEV catalog, indicating a low likelihood of exploitation. Nevertheless, the attack is remote, requires the ability to send a control\u2011flow request that streams data slowly or stops reading, and can lead to out\u2011of\u2011memory crashes or severe performance degradation. The risk remains low but could impact availability in a critical system if an attacker triggers the condition."}}}}, "created": "2026-02-04T12:05:59.853572+00:00", "updated": "2026-04-18T00:15:31.768654+00:00", "vendors": ["fastify", "fastify$PRODUCT$fastify"]}