Bug 2436557 (CVE-2026-25224)

Summary:	CVE-2026-25224 Fastify: Fastify: Denial of Service via unbounded buffering in Web Streams response handling
Product:	[Other] Security Response	Reporter:	OSIDB Bzimport <bzimport>
Component:	vulnerability	Assignee:	Product Security <prodsec-ir-bot>
Status:	NEW ---	QA Contact:
Severity:	low	Docs Contact:
Priority:	low
Version:	unspecified	CC:	bbrownin, jkoehler, lphiri, sdawley
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	---
Doc Text:	A flaw was found in Fastify. A remote client can exploit this denial-of-service vulnerability by sending a slow or non-reading request when the application returns a ReadableStream (or Response with a Web Stream body) via reply.send(). This can lead to unbounded buffering, exhausting server memory. The consequence is a Denial of Service (DoS), potentially causing process crashes or severe degradation of the server.	Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-02-03 22:01:30 UTC

Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation. This issue has been patched in version 5.7.3.