Cyber Resilience

CVE-2026-7768

HighDDoSUpdated

Published: 04 May 2026

Published
04 May 2026
Modified
29 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0005 16.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-7768 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Fastify Fastify\/Accepts-Serializer. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 16.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2026-7768 is a vulnerability in the @fastify/accepts-serializer plugin for Fastify, affecting versions up to and including 6.0.3. The plugin caches serializer-selection results keyed solely by the request's Accept header without any size limit or eviction policy. This design flaw allows the cache to grow unbounded under certain conditions, leading to exhaustion of the Node.js heap and subsequent process crashes.

A remote unauthenticated attacker can exploit this vulnerability by sending a high volume of requests with distinct but matching Accept header variants. Each unique variant populates a new cache entry, causing rapid memory consumption until the Node.js heap is depleted, resulting in a denial-of-service that crashes the affected server process. The CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) underscores its network accessibility and high availability impact, mapped to CWE-770 (Allocation of Resources Without Limits or Throttling).

Advisories recommend updating to version 6.0.4 or later, which introduces an LRU cache with a default size limit of 100 entries, configurable via the new cacheSize plugin option. Details are provided in the OpenJSF CNA security advisories at https://cna.openjsf.org/security-advisories.html and the GitHub advisory at https://github.com/fastify/fastify-accepts-serializer/security/advisories/GHSA-qxhc-wx3p-2wmg.

EU & UK References

Vulnerability details

@fastify/accepts-serializer cached serializer-selection results keyed by the request Accept header without a size limit or eviction policy. A remote unauthenticated client could send many distinct but matching Accept header variants to make the cache grow unbounded, eventually exhausting the Node.js…

more

heap and crashing the process. Versions <= 6.0.3 are affected. Update to 6.0.4 or later, which bounds the cache via an LRU with a default size of 100 entries, configurable through the new cacheSize plugin option.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The unbounded cache (CWE-770) is directly exploitable by an unauthenticated remote attacker sending crafted Accept-header variants, causing heap exhaustion and process crash; this precisely matches T1499.004 Application or System Exploitation under Endpoint Denial of Service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2021-47877Shared CWE-770
CVE-2026-3260Shared CWE-770
CVE-2025-66560Shared CWE-770
CVE-2025-68136Shared CWE-770
CVE-2020-37038Shared CWE-770
CVE-2025-36070Shared CWE-770
CVE-2021-47791Shared CWE-770
CVE-2021-47876Shared CWE-770
CVE-2019-25342Shared CWE-770
CVE-2026-44004Shared CWE-770

Affected Assets

fastify
fastify\/accepts-serializer
≤ 6.0.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the unbounded cache growth vulnerability by requiring timely flaw remediation through updating to @fastify/accepts-serializer version 6.0.4 or later with bounded LRU cache.

preventdetect

Implements denial-of-service protections at system entry points to counter resource exhaustion attacks from floods of distinct Accept header variants.

prevent

Protects system resources such as Node.js heap memory from unauthorized depletion caused by unbounded cache allocation triggered by malicious requests.

References