CVE-2026-25224

描述

### Impact A Denial of Service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a `ReadableStream` (or `Response` with a Web Stream body) via `reply.send()` are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation. ### Patches The issue is fixed in Fastify 5.7.3. Users should upgrade to 5.7.3 or later. ### Workarounds Avoid sending Web Streams from Fastify responses (e.g., `ReadableStream` or `Response` bodies). Use Node.js streams (`stream.Readable`) or buffered payloads instead until the project can upgrade. ### References - https://hackerone.com/reports/3524779

受影響套件(1)

• npm/fastifyfrom 0, < 5.7.3

CVSS 分數

參考連結(5)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-25224
• PATCHhttps://github.com/fastify/fastify
• WEBhttps://github.com/fastify/fastify/commit/eb11156396f6a5fedaceed0140aed2b7f026be37
• WEBhttps://github.com/fastify/fastify/security/advisories/GHSA-mrq3-vjjr-p77c
• WEBhttps://hackerone.com/reports/3524779