Listen to this Post
This vulnerability exists within Fastify’s implementation for handling Web Streams (e.g., ReadableStream) when sending responses via reply.send(). The framework correctly implements backpressure mechanisms for standard Node.js streams, pausing data flow when the client cannot keep up. However, its adapter for Web Streams failed to properly respect this backpressure signal. When a malicious or exceptionally slow client connects and reads data at an infinitesimally slow rate—or stops reading altogether—the server continues to buffer the entire outgoing Web Stream in memory. This occurs because the underlying source of the Web Stream keeps producing data, assuming it will be consumed, while the server’s output buffer grows without bound. The process’s memory allocation increases continuously until it exhausts available system memory, leading to severe performance degradation or a crash, thereby causing a Denial of Service (DoS).
Platform: Fastify
Version: <5.7.3
Vulnerability: DoS via Memory Exhaustion
Severity: Low
Date: 2026-02-02
Prediction: Patched 2026-02-02
What Undercode Say:
Analytics: Commands and Code
npm list fastify
// Vulnerable code pattern
fastify.get('/', async (request, reply) => {
const webStream = new ReadableStream({ ... });
reply.send(webStream); // Vulnerable in <5.7.3
});
Check for vulnerable versions grep '"fastify"' package.json | grep -v '5.7.[3-9]|5.[8-9]'
How Exploit:
Attacker sends request for Web Stream endpoint and then throttles or stops reading response data, causing server-side buffering.
Protection from this CVE:
Upgrade to Fastify>=5.7.3. Temporarily avoid `reply.send()` with Web Streams (ReadableStream, `Response` body). Use Node.js `stream.Readable` or buffer data.
Impact:
Unbounded server memory consumption leading to process crash or severe service degradation for applications using Web Stream responses.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

