CVE-2026-25224 in Fastify
Summary
by MITRE • 02/04/2026
Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation. This issue has been patched in version 5.7.3.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/04/2026
The vulnerability identified as CVE-2026-25224 represents a critical denial-of-service flaw within the Fastify web framework for Node.js, affecting versions prior to 5.7.3. This issue specifically targets the framework's handling of Web Streams responses, creating a scenario where remote attackers can exploit poorly managed backpressure mechanisms to consume excessive server memory resources. The vulnerability arises from the framework's inadequate management of ReadableStream objects when they are returned through the reply.send() method, fundamentally undermining the server's ability to maintain stable operations under malicious input conditions.
The technical flaw manifests through improper handling of backpressure in Web Stream response processing, where Fastify fails to adequately monitor and control the flow of data between the server and client. When a client fails to read data from a stream or reads data at an insufficient rate, the framework's buffering mechanism continues to accumulate data without proper bounds enforcement. This behavior creates a memory exhaustion condition that can lead to complete process termination or severe performance degradation, as the server's memory consumption grows unbounded until system resources are exhausted. The vulnerability directly relates to CWE-400, which categorizes unchecked resource consumption as a fundamental weakness in software design that leads to denial-of-service conditions.
From an operational perspective, this vulnerability poses significant risks to applications that rely on Fastify's streaming capabilities, particularly those serving large files, real-time data feeds, or handling high-throughput scenarios where streaming responses are common. Attackers can exploit this flaw by establishing connections that either read data extremely slowly or not at all, causing the server to maintain buffers for indefinitely long periods. The impact extends beyond simple service disruption, as the memory exhaustion can affect other processes running on the same server, potentially leading to cascading failures and broader system instability. This vulnerability aligns with ATT&CK technique T1499.004, which covers network denial-of-service attacks that specifically target resource exhaustion through inefficient resource management.
The mitigation strategy involves upgrading to Fastify version 5.7.3 or later, which includes proper backpressure handling mechanisms and memory management controls for Web Stream responses. Organizations should also implement additional protective measures such as connection timeouts, read rate limiting, and monitoring for unusual memory consumption patterns. Security teams should conduct thorough testing of streaming response scenarios to ensure that the patched version properly handles various client behaviors and maintains system stability under stress conditions. The fix addresses the core issue by implementing proper flow control mechanisms that prevent unlimited buffering while maintaining the framework's streaming capabilities for legitimate use cases.