Home > Vulnerability Database > CVE-2026-25224

Mend.io Vulnerability Database

CVE-2026-25224

Good to know:

Date: February 3, 2026

Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation. This issue has been patched in version 5.7.3.

Severity Score

3.7

Related Resources (6)

Url: https://hackerone.com/reports/3524779

Url: https://github.com/fastify/fastify

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-25224

Url: https://github.com/fastify/fastify/commit/eb11156396f6a5fedaceed0140aed2b7f026be37

Url: https://github.com/fastify/fastify/security/advisories/GHSA-mrq3-vjjr-p77c

Url: https://www.mend.io/vulnerability-database/CVE-2026-25224

Severity Score

3.7

Weakness Type (CWE)

Allocation of Resources Without Limits or Throttling

CWE-770

Top Fix

Upgrade Version

Upgrade to version fastify - 5.7.3;https://github.com/fastify/fastify.git - v5.7.3

Learn More

CVSS v3.1

Base Score:	3.7
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2026-25224

Good to know:

Date: February 3, 2026

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?