High severity7.5NVD Advisory· Published May 4, 2026· Updated May 7, 2026

CVE-2026-7768

Description

@fastify/accepts-serializer cached serializer-selection results keyed by the request Accept header without a size limit or eviction policy. A remote unauthenticated client could send many distinct but matching Accept header variants to make the cache grow unbounded, eventually exhausting the Node.js heap and crashing the process. Versions <= 6.0.3 are affected. Update to 6.0.4 or later, which bounds the cache via an LRU with a default size of 100 entries, configurable through the new cacheSize plugin option.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
@fastify/accepts-serializernpm	< 6.0.4	6.0.4

Affected products

@fastify/@fastify/accepts Serializerinferred
Range: <=6.0.3
Package: https://npmjs.com/package/@fastify/accepts-serializer

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-qxhc-wx3p-2wmgghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-7768ghsaADVISORY
cna.openjsf.org/security-advisories.htmlnvdWEB
github.com/fastify/fastify-accepts-serializer/security/advisories/GHSA-qxhc-wx3p-2wmgnvdWEB

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000