{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25224", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-30T14:44:47.327Z", "datePublished": "2026-02-03T21:21:35.437Z", "dateUpdated": "2026-02-04T16:20:32.845Z"}, "containers": {"cna": {"title": "Fastify Vulnerable to DoS via Unbounded Memory Allocation in sendWebStream", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/fastify/fastify/security/advisories/GHSA-mrq3-vjjr-p77c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/fastify/fastify/security/advisories/GHSA-mrq3-vjjr-p77c"}, {"name": "https://github.com/fastify/fastify/commit/eb11156396f6a5fedaceed0140aed2b7f026be37", "tags": ["x_refsource_MISC"], "url": "https://github.com/fastify/fastify/commit/eb11156396f6a5fedaceed0140aed2b7f026be37"}, {"name": "https://hackerone.com/reports/3524779", "tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/3524779"}], "affected": [{"vendor": "fastify", "product": "fastify", "versions": [{"version": "< 5.7.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-03T21:21:35.437Z"}, "descriptions": [{"lang": "en", "value": "Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify\u2019s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation. This issue has been patched in version 5.7.3."}], "source": {"advisory": "GHSA-mrq3-vjjr-p77c", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-04T16:20:26.988188Z", "id": "CVE-2026-25224", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T16:20:32.845Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25224", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-04T16:20:26.988188Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T16:20:29.894Z"}}], "cna": {"title": "Fastify Vulnerable to DoS via Unbounded Memory Allocation in sendWebStream", "source": {"advisory": "GHSA-mrq3-vjjr-p77c", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "fastify", "product": "fastify", "versions": [{"status": "affected", "version": "< 5.7.3"}]}], "references": [{"url": "https://github.com/fastify/fastify/security/advisories/GHSA-mrq3-vjjr-p77c", "name": "https://github.com/fastify/fastify/security/advisories/GHSA-mrq3-vjjr-p77c", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/fastify/fastify/commit/eb11156396f6a5fedaceed0140aed2b7f026be37", "name": "https://github.com/fastify/fastify/commit/eb11156396f6a5fedaceed0140aed2b7f026be37", "tags": ["x_refsource_MISC"]}, {"url": "https://hackerone.com/reports/3524779", "name": "https://hackerone.com/reports/3524779", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify\u2019s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation. This issue has been patched in version 5.7.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-03T21:21:35.437Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25224", "state": "PUBLISHED", "dateUpdated": "2026-02-04T16:20:32.845Z", "dateReserved": "2026-01-30T14:44:47.327Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-03T21:21:35.437Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fastify:fastify:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "70F0A157-C97E-4AB3-8B64-D6B21301B2DD", "versionEndExcluding": "5.7.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify\u2019s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation. This issue has been patched in version 5.7.3."}], "id": "CVE-2026-25224", "lastModified": "2026-02-10T19:24:48.703", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "[email protected]", "type": "Secondary"}]}, "published": "2026-02-03T22:16:31.290", "references": [{"source": "[email protected]", "tags": ["Patch"], "url": "https://github.com/fastify/fastify/commit/eb11156396f6a5fedaceed0140aed2b7f026be37"}, {"source": "[email protected]", "tags": ["Vendor Advisory"], "url": "https://github.com/fastify/fastify/security/advisories/GHSA-mrq3-vjjr-p77c"}, {"source": "[email protected]", "tags": ["Permissions Required"], "url": "https://hackerone.com/reports/3524779"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "[email protected]", "type": "Primary"}]}

{"bugzilla": {"description": "Fastify: Fastify: Denial of Service via unbounded buffering in Web Streams response handling", "id": "2436557", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2436557"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-770", "details": ["A flaw was found in Fastify. A remote client can exploit this denial-of-service vulnerability by sending a slow or non-reading request when the application returns a ReadableStream (or Response with a Web Stream body) via reply.send(). This can lead to unbounded buffering, exhausting server memory. The consequence is a Denial of Service (DoS), potentially causing process crashes or severe degradation of the server."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-25224", "package_state": [{"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/disk-image-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-dashboard-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-dashboard-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-mod-arch-gen-ai-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-mod-arch-model-registry-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Fix deferred", "package_name": "devspaces/dashboard-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}], "public_date": "2026-02-03T21:21:35Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-25224\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-25224\nhttps://github.com/fastify/fastify/commit/eb11156396f6a5fedaceed0140aed2b7f026be37\nhttps://github.com/fastify/fastify/security/advisories/GHSA-mrq3-vjjr-p77c\nhttps://hackerone.com/reports/3524779"], "statement": "LOW. A denial-of-service flaw exists in Fastify's Web Streams response handling. This issue can lead to unbounded buffering and memory exhaustion when a remote client sends a slow or non-reading request to an application that uses `reply.send()` with a `ReadableStream` or `Response` with a Web Stream body. Red Hat products utilizing Fastify in this configuration are affected.", "threat_severity": "Low"}