EUVD-2026-27131

@fastify/accepts-serializer Vulnerable to Denial of Service via Unbounded Accept Header Cache Growth...

GHSA-QXHC-WX3P-2WMG @fastify/accepts-serializer Vulnerable to Denial of Service via Unbounded Accept Header Cache Growth

Impact @fastify/accepts-serializer cached serializer-selection results keyed by the request Accept header without a size limit or eviction policy. A remote unauthenticated client could send many distinct but matching Accept header variants to make the cache grow unbounded. Under sustained load,...

@fastify/accepts-serializer Vulnerable to Denial of Service via Unbounded Accept Header Cache Growth

Impact @fastify/accepts-serializer cached serializer-selection results keyed by the request Accept header without a size limit or eviction policy. A remote unauthenticated client could send many distinct but matching Accept header variants to make the cache grow unbounded. Under sustained load,...

Allocation of Resources Without Limits or Throttling

Overview @fastify/accepts-serializer is a Serializer according to the accept header Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the unbounded caching of serializer-selection results keyed by the Accept header. An attacker can exhaus...

CVE-2026-7768

@fastify/accepts-serializer cached serializer-selection results keyed by the request Accept header without a size limit or eviction policy. A remote unauthenticated client could send many distinct but matching Accept header variants to make the cache grow unbounded, eventually exhausting the...

CVE-2026-7768 @fastify/accepts-serializer vulnerable to Denial of Service via Unbounded Accept Header Cache Growth

@fastify/accepts-serializer cached serializer-selection results keyed by the request Accept header without a size limit or eviction policy. A remote unauthenticated client could send many distinct but matching Accept header variants to make the cache grow unbounded, eventually exhausting the...

CVE-2026-7768 @fastify/accepts-serializer vulnerable to Denial of Service via Unbounded Accept Header Cache Growth

@fastify/accepts-serializer cached serializer-selection results keyed by the request Accept header without a size limit or eviction policy. A remote unauthenticated client could send many distinct but matching Accept header variants to make the cache grow unbounded, eventually exhausting the...

CVE-2026-7768

The CVE affects @fastify/accepts-serializer where serializer-selection results are cached by the request Accept header without bounds or eviction, allowing an unauthenticated remote client to cause unbounded cache growth and Node.js heap exhaustion leading to a crash. Affected versions are

@fastify/accepts-serializer 安全漏洞

@fastify/accepts-serializer is a plugin developed by Fastify, which automatically selects a serialization method based on the Accept header. Versions of @fastify/accepts-serializer up to 6.0.3 contained security vulnerabilities. These vulnerabilities stemmed from the lack of size limits or evicti...