HomeCVE Intelligence › CVE-2026-7768
CVSS 7.5 HIGH Vulnerability

CVE-2026-7768: @fastify/accepts-serializer Vulnerable to Denial of Service via Unbounded Accept Header C…

Impact @fastify/accepts-serializer cached serializer-selection results keyed by the request Accept header without a size limit or eviction policy. A remote unauthenticated client could send many distinct but matching Ac…

7.5CVSS Score
HIGHSeverity
NOCISA KEV
VulnerabilityImpact Type

📋 Vulnerability Details

CVE IDCVE-2026-7768
Vendornpm
Affected Product@fastify/accepts-serializer
Vulnerability TypeVulnerability
CVSS Score7.5 (HIGH)
Actively Exploited❌ No known exploitation
Patch StatusSee Vendor Advisory →
Reported ByCYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

#

Impact @fastify/accepts-serializer cached serializer-selection results keyed by the request Accept header without a size limit or eviction policy. A remote unauthenticated client could send many distinct but matching Accept header variants to make the cache grow unbounded. Under sustained load, this can exhaust the Node.js heap and crash the process.

Patches Update to @fastify/accepts-serializer >= 6.0.4. The cache is now bounded by an LRU with a default size of 100 entries, configurable via the new cacheSize plugin option.

Workarounds None. Upgrade is required.

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-7768 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries
🛡️ Get Detection Pack → 🔌 Access via API →

🔗 Related Intelligence