CVE-2026-7768

Description

### Impact `@fastify/accepts-serializer` cached serializer-selection results keyed by the request `Accept` header without a size limit or eviction policy. A remote unauthenticated client could send many distinct but matching `Accept` header variants to make the cache grow unbounded. Under sustained load, this can exhaust the Node.js heap and crash the process. ### Patches Update to `@fastify/accepts-serializer >= 6.0.4`. The cache is now bounded by an LRU with a default size of 100 entries, configurable via the new `cacheSize` plugin option. ### Workarounds None. Upgrade is required.

How to fix CVE-2026-7768

To remediate CVE-2026-7768, upgrade the affected package to a fixed version below.

• —upgrade to 6.0.4 or later

Is CVE-2026-7768 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 6.0.4

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-7768
• PATCHgithub.com/fastify/fastify-accepts-serializer
• WEBcna.openjsf.org/security-advisories.html
• WEBgithub.com/fastify/fastify-accepts-serializer/security/advisories/GHSA-qxhc-wx3p-2wmg