CVE-2026-7768
Published: 04 May 2026
Summary
CVE-2026-7768 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Fastify Fastify\/Accepts-Serializer. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 16.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Deeper analysis
CVE-2026-7768 is a vulnerability in the @fastify/accepts-serializer plugin for Fastify, affecting versions up to and including 6.0.3. The plugin caches serializer-selection results keyed solely by the request's Accept header without any size limit or eviction policy. This design flaw allows the cache to grow unbounded under certain conditions, leading to exhaustion of the Node.js heap and subsequent process crashes.
A remote unauthenticated attacker can exploit this vulnerability by sending a high volume of requests with distinct but matching Accept header variants. Each unique variant populates a new cache entry, causing rapid memory consumption until the Node.js heap is depleted, resulting in a denial-of-service that crashes the affected server process. The CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) underscores its network accessibility and high availability impact, mapped to CWE-770 (Allocation of Resources Without Limits or Throttling).
Advisories recommend updating to version 6.0.4 or later, which introduces an LRU cache with a default size limit of 100 entries, configurable via the new cacheSize plugin option. Details are provided in the OpenJSF CNA security advisories at https://cna.openjsf.org/security-advisories.html and the GitHub advisory at https://github.com/fastify/fastify-accepts-serializer/security/advisories/GHSA-qxhc-wx3p-2wmg.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-27131
Vulnerability details
@fastify/accepts-serializer cached serializer-selection results keyed by the request Accept header without a size limit or eviction policy. A remote unauthenticated client could send many distinct but matching Accept header variants to make the cache grow unbounded, eventually exhausting the Node.js…
more
heap and crashing the process. Versions <= 6.0.3 are affected. Update to 6.0.4 or later, which bounds the cache via an LRU with a default size of 100 entries, configurable through the new cacheSize plugin option.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The unbounded cache (CWE-770) is directly exploitable by an unauthenticated remote attacker sending crafted Accept-header variants, causing heap exhaustion and process crash; this precisely matches T1499.004 Application or System Exploitation under Endpoint Denial of Service.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the unbounded cache growth vulnerability by requiring timely flaw remediation through updating to @fastify/accepts-serializer version 6.0.4 or later with bounded LRU cache.
Implements denial-of-service protections at system entry points to counter resource exhaustion attacks from floods of distinct Accept header variants.
Protects system resources such as Node.js heap memory from unauthorized depletion caused by unbounded cache allocation triggered by malicious requests.