{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-17T11:26:32.388","vulnerabilities":[{"cve":{"id":"CVE-2026-25224","sourceIdentifier":"security-advisories@github.com","published":"2026-02-03T22:16:31.290","lastModified":"2026-02-10T19:24:48.703","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation. This issue has been patched in version 5.7.3."},{"lang":"es","value":"Fastify es un framework web rápido y de baja sobrecarga, para Node.js. Antes de la versión 5.7.3, una vulnerabilidad de denegación de servicio en el manejo de respuestas de Web Streams de Fastify puede permitir a un cliente remoto agotar la memoria del servidor. Las aplicaciones que devuelven un ReadableStream (o una Response con un cuerpo de Web Stream) a través de reply.send() se ven afectadas. Un cliente lento o que no lee puede desencadenar un almacenamiento en búfer ilimitado cuando se ignora la contrapresión, lo que lleva a caídas del proceso o una degradación severa. Este problema ha sido parcheado en la versión 5.7.3."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L","baseScore":3.7,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"LOW"},"exploitabilityScore":2.2,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-770"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:fastify:fastify:*:*:*:*:*:node.js:*:*","versionEndExcluding":"5.7.3","matchCriteriaId":"70F0A157-C97E-4AB3-8B64-D6B21301B2DD"}]}]}],"references":[{"url":"https://github.com/fastify/fastify/commit/eb11156396f6a5fedaceed0140aed2b7f026be37","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/fastify/fastify/security/advisories/GHSA-mrq3-vjjr-p77c","source":"security-advisories@github.com","tags":["Vendor Advisory"]},{"url":"https://hackerone.com/reports/3524779","source":"security-advisories@github.com","tags":["Permissions Required"]}]}}]}