CVE-2026-25224

low-risk

Published 2026-02-03

Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation. This issue has been patched in version 5.7.3.

Do I need to act?

0.02% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 3.7/10 Low

NETWORK / HIGH complexity

Affected Products (1)

Fastify

Affected Vendors

Fastify

References (3)

Patch https://github.com/fastify/fastify/commit/eb11156396f6a5fedaceed0140aed2b7f026be...

Vendor Advisory https://github.com/fastify/fastify/security/advisories/GHSA-mrq3-vjjr-p77c

Permissions Required https://hackerone.com/reports/3524779

/ 100

low-risk

Severity 13/34 · Low

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal