GHSA-mrq3-vjjr-p77c

Suggest an improvement
Source
https://github.com/advisories/GHSA-mrq3-vjjr-p77c
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-mrq3-vjjr-p77c/GHSA-mrq3-vjjr-p77c.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-mrq3-vjjr-p77c
Aliases
Published
2026-02-02T22:25:05Z
Modified
2026-02-04T18:08:54.461651Z
Severity
  • 3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
Fastify Vulnerable to DoS via Unbounded Memory Allocation in sendWebStream
Details

Impact

A Denial of Service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation.

Patches

The issue is fixed in Fastify 5.7.3. Users should upgrade to 5.7.3 or later.

Workarounds

Avoid sending Web Streams from Fastify responses (e.g., ReadableStream or Response bodies). Use Node.js streams (stream.Readable) or buffered payloads instead until the project can upgrade.

References

  • https://hackerone.com/reports/3524779
Database specific 
{
    "cwe_ids": [
        "CWE-770"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "nvd_published_at": "2026-02-03T22:16:31Z",
    "github_reviewed_at": "2026-02-02T22:25:05Z"
}
References

Affected packages

npm / fastify

Package

Name
fastify
View open source insights on deps.dev
Purl
pkg:npm/fastify

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.7.3

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-mrq3-vjjr-p77c/GHSA-mrq3-vjjr-p77c.json"
last_known_affected_version_range 
"<= 5.7.2"