CVE-2026-25224 Overview
A denial-of-service vulnerability exists in Fastify's Web Streams response handling that can allow a remote client to exhaust server memory. Fastify is a fast and low overhead web framework for Node.js. Prior to version 5.7.3, applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted by this vulnerability. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation.
Critical Impact
Remote attackers can cause server memory exhaustion and process crashes by exploiting improper backpressure handling in Web Streams responses, potentially disrupting critical Node.js services.
Affected Products
- Fastify versions prior to 5.7.3
- Node.js applications using Fastify with Web Streams response handling
- Applications returning ReadableStream or Response with Web Stream body via reply.send()
Discovery Timeline
- 2026-02-03 - CVE CVE-2026-25224 published to NVD
- 2026-02-04 - Last updated in NVD database
Technical Details for CVE-2026-25224
Vulnerability Analysis
This vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The issue manifests when Fastify handles Web Streams responses without properly implementing backpressure mechanisms. When a client deliberately reads slowly or stops reading altogether, the server continues buffering data without limits, eventually exhausting available memory.
The vulnerability affects the core streaming functionality where ReadableStream objects or Response objects containing Web Stream bodies are passed to reply.send(). Without proper flow control, the framework fails to pause data production when the consumer cannot keep up, leading to unbounded memory growth.
Root Cause
The root cause lies in Fastify's inadequate handling of backpressure signals when processing Web Streams. The framework did not properly throttle data production when downstream consumers (client connections) were unable to receive data at the expected rate. This oversight allows memory to accumulate without bounds as the server continues generating and buffering stream data regardless of client consumption rate.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:
- Establishing a connection to a vulnerable Fastify application that serves Web Stream responses
- Initiating a request for a streaming endpoint
- Deliberately reading the response slowly or stopping reads entirely
- The server continues buffering unbounded data, eventually exhausting memory
- Multiple concurrent slow-read connections can accelerate memory exhaustion
The exploitation mechanism involves manipulating TCP receive window sizes or simply not reading from the socket, causing the server-side buffers to grow indefinitely until the Node.js process crashes or becomes severely degraded.
Detection Methods for CVE-2026-25224
Indicators of Compromise
- Abnormal memory growth in Node.js processes running Fastify applications
- Increased number of long-lived HTTP connections with minimal data transfer
- Server process crashes with out-of-memory errors
- Connections from the same source IP holding open streaming requests without completing
Detection Strategies
- Monitor Node.js heap memory usage and set alerting thresholds for abnormal growth patterns
- Implement connection tracking to identify clients with unusually slow read rates on streaming endpoints
- Deploy application performance monitoring (APM) to track reply.send() calls involving ReadableStream objects
- Use network monitoring to identify connections with disproportionate request duration to data transfer ratios
Monitoring Recommendations
- Configure memory usage alerts for Node.js processes at 70-80% of allocated memory
- Implement logging for streaming endpoint connections with duration exceeding expected thresholds
- Monitor connection counts per client IP to identify potential coordinated attacks
- Set up process restart policies to recover from memory exhaustion conditions
How to Mitigate CVE-2026-25224
Immediate Actions Required
- Upgrade Fastify to version 5.7.3 or later immediately
- Review application code for endpoints that return ReadableStream or Web Stream Response objects
- Implement connection timeouts for streaming endpoints as a defense-in-depth measure
- Consider rate limiting on endpoints that serve streamed responses
Patch Information
The vulnerability has been patched in Fastify version 5.7.3. The fix implements proper backpressure handling for Web Streams responses, ensuring that data production pauses when clients cannot consume data at the expected rate. For technical details, refer to the GitHub commit and the GitHub Security Advisory. Additional context is available in the HackerOne Security Report.
Workarounds
- If immediate upgrade is not possible, temporarily disable or restrict access to endpoints serving Web Stream responses
- Implement reverse proxy timeout configurations to forcibly close slow connections
- Use process managers like PM2 with memory limits to automatically restart processes approaching exhaustion
- Deploy connection timeout middleware to terminate long-running streaming connections
# Example: Update Fastify to patched version
npm update fastify@5.7.3
# Or specify in package.json
# "fastify": ">=5.7.3"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
