CVE-2026-7768: Fastify Accepts-Serializer DoS Vulnerability
The National Vulnerability Database has detailed CVE-2026-7768, a high-severity denial-of-service (DoS) vulnerability in the @fastify/accepts-serializer package. This flaw, present in versions up to and including 6.0.3, stems from an unbounded cache used for serializer-selection results. The cache, keyed by the request’s Accept header, lacked both a size limit and an eviction policy.
A remote, unauthenticated attacker could exploit this by sending numerous distinct yet matching Accept header variants. Each variant would cause the cache to grow without restraint, eventually exhausting the Node.js heap and crashing the process. This is a classic resource exhaustion attack (CWE-770) that can lead to significant service disruption.
Defenders must prioritize patching. The National Vulnerability Database states that updating to version 6.0.4 or later mitigates this issue. The patched versions introduce an LRU cache with a default size of 100 entries, configurable via the new cacheSize plugin option, effectively bounding its growth and preventing heap exhaustion.
What This Means For You
- If your organization uses `@fastify/accepts-serializer` in Node.js applications, you are exposed to a remote denial-of-service attack. This is not a hypothetical threat; it's a direct path to application downtime. Immediately audit your dependencies for `@fastify/accepts-serializer` versions. If you're running 6.0.3 or earlier, upgrade to 6.0.4 or later without delay. A crashed API or web service is a critical incident, and this CVE provides an easy vector for unauthenticated attackers to achieve it.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-7768: Fastify Unbounded Accept Header Cache Exhaustion Attempt
title: CVE-2026-7768: Fastify Unbounded Accept Header Cache Exhaustion Attempt
id: scw-2026-05-04-ai-1
status: experimental
level: high
description: |
Detects attempts to exploit CVE-2026-7768 by sending numerous distinct Accept headers to a Fastify server. This rule looks for GET requests to any URI, which are common in DoS attacks targeting web applications. The vulnerability lies in the @fastify/accepts-serializer plugin's unbounded cache for serializer-selection results, keyed by the Accept header. Sending many unique Accept headers can exhaust the Node.js heap and crash the process. This rule is a primary indicator of the exploit attempt.
author: SCW Feed Engine (AI-generated)
date: 2026-05-04
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-7768/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|startswith:
- '/'
cs-method|exact:
- 'GET'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-7768 | DoS | @fastify/accepts-serializer versions <= 6.0.3 |
| CVE-2026-7768 | DoS | Unbounded cache growth in @fastify/accepts-serializer due to Accept header variants |
| CVE-2026-7768 | DoS | Node.js heap exhaustion and process crash via @fastify/accepts-serializer |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 04, 2026 at 23:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-7779 — Open5GS Denial of Service
CVE-2026-7779 — A security flaw has been discovered in Open5GS up to 2.7.7. Affected is the function udm_nudr_dr_handle_subscription_authentication of the file /src/udm/nudr-handler.c of the component...
CVE-2026-42223 — Nginx UI is a web user interface for the Nginx web server.
CVE-2026-42223 — Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, the GetSettings API handler (api/settings/settings.go:24-65) serializes all...
Nginx UI Vulnerability: Unauthenticated Bootstrap Takeover (CVE-2026-42222)
CVE-2026-42222 — Nginx UI is a web user interface for the Nginx web server. In version 2.3.5, an unauthenticated bootstrap takeover exists in nginx-ui during...