Fastify Denial-of-Service Vulnerability in Web Streams Response Handling

Vulnerability

A denial-of-service vulnerability has been identified in Fastify, a web framework for Node.js, prior to version 5.7.3. The issue arises in Fastify's handling of Web Streams in responses, where a remote client can cause excessive memory usage on the server. This vulnerability affects applications that send a ReadableStream or a Response with a Web Stream body through reply.send(). When a client does not read the response or does so slowly, it can lead to unbounded memory buffering, ignoring backpressure, and causing process crashes or significant performance degradation.

Impact

Exploitation of this vulnerability can lead to process crashes or severe performance degradation on the server.

Reproduction

The vulnerability can be reproduced by sending a response from a Fastify server that includes a Web Stream (such as a ReadableStream) while the client either reads the response slowly or not at all. This can be done by creating a Fastify server that sends a Web Stream response and then using a client that does not read the response promptly, allowing the server to exhaust its memory resources.

Remediation

Users are advised to upgrade to Fastify version 5.7.3 or later. If an immediate upgrade is not possible, avoid sending Web Streams in Fastify responses. Instead, use Node.js streams or buffered payloads.

Added: Feb 3, 2026, 10:27 PM
Updated: Feb 3, 2026, 10:27 PM

Vulnerability Rating

Custom Algorithm
spread
7.6
impact
2.5
exploitability
9.3
remediation
8.3
relevance
1.6
threat
4.8
urgency
2.9
incentive
8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.