Fastify, Denial of Service via Unbounded Memory Allocation in sendWebStream, Low Severity

Listen to this Post

This vulnerability exists within Fastify’s implementation for handling Web Streams (e.g., ReadableStream) when sending responses via reply.send(). The framework correctly implements backpressure mechanisms for standard Node.js streams, pausing data flow when the client cannot keep up. However, its adapter for Web Streams failed to properly respect this backpressure signal. When a malicious or exceptionally slow client connects and reads data at an infinitesimally slow rate—or stops reading altogether—the server continues to buffer the entire outgoing Web Stream in memory. This occurs because the underlying source of the Web Stream keeps producing data, assuming it will be consumed, while the server’s output buffer grows without bound. The process’s memory allocation increases continuously until it exhausts available system memory, leading to severe performance degradation or a crash, thereby causing a Denial of Service (DoS).
Platform: Fastify
Version: <5.7.3
Vulnerability: DoS via Memory Exhaustion
Severity: Low
Date: 2026-02-02

Prediction: Patched 2026-02-02

What Undercode Say:

Analytics: Commands and Code

npm list fastify
// Vulnerable code pattern
fastify.get('/', async (request, reply) => {
const webStream = new ReadableStream({ ... });
reply.send(webStream); // Vulnerable in <5.7.3
});
Check for vulnerable versions
grep '"fastify"' package.json | grep -v '5.7.[3-9]|5.[8-9]'

How Exploit:

Attacker sends request for Web Stream endpoint and then throttles or stops reading response data, causing server-side buffering.

Protection from this CVE:

Upgrade to Fastify>=5.7.3. Temporarily avoid `reply.send()` with Web Streams (ReadableStream, `Response` body). Use Node.js `stream.Readable` or buffer data.

Impact:

Unbounded server memory consumption leading to process crash or severe service degradation for applications using Web Stream responses.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top