CVE-2026-25224
📋 TL;DR
A denial-of-service vulnerability in Fastify's Web Streams response handling allows remote clients to exhaust server memory by sending slow or non-reading requests. Applications using ReadableStream or Response with Web Stream body via reply.send() are affected. This can lead to process crashes or severe performance degradation.
💻 Affected Systems
- Fastify
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server crash and unavailability due to memory exhaustion, potentially affecting all services on the same host.
Likely Case
Severe performance degradation and intermittent crashes under targeted attack, leading to service disruption.
If Mitigated
Minimal impact with proper monitoring and resource limits in place.
🎯 Exploit Status
Exploitation requires sending requests to vulnerable endpoints and not reading responses, which is trivial to implement.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.7.3
Vendor Advisory: https://github.com/fastify/fastify/security/advisories/GHSA-mrq3-vjjr-p77c
Restart Required: Yes
Instructions:
1. Update Fastify package to version 5.7.3 or later. 2. Run 'npm update fastify' or 'yarn upgrade fastify'. 3. Restart your Node.js application.
🔧 Temporary Workarounds
Implement response timeout
allAdd timeout handling to Web Stream responses to prevent unbounded buffering.
// In your Fastify route handler, add timeout logic to stream responses
Disable Web Stream responses
allAvoid using ReadableStream or Response with Web Stream body in reply.send() until patched.
// Replace stream-based responses with alternative implementations
🧯 If You Can't Patch
- Implement rate limiting and request throttling to limit client impact
- Deploy memory monitoring and alerting to detect memory exhaustion attempts
🔍 How to Verify
Check if Vulnerable:
Check if your application uses ReadableStream or Response with Web Stream body via reply.send() and if Fastify version is below 5.7.3.Check Version:
npm list fastify | grep fastifyVerify Fix Applied:
Verify Fastify version is 5.7.3 or higher and test stream response endpoints under slow client conditions.📡 Detection & Monitoring
Log Indicators:
- Unusual memory consumption spikes
- Process crashes with out-of-memory errors
- Increased response times for stream endpoints
Network Indicators:
- Multiple slow-reading client connections to stream endpoints
- Abnormal request patterns to Web Stream routes
SIEM Query:
source="application.logs" AND ("out of memory" OR "heap out of memory") AND process="node"