CVE-2026-7768: @fastify/accepts-serializer Vulnerable to Denial of Service via Unbounded Accept Header Cache Growth

May 8, 2026

@fastify/accepts-serializer cached serializer-selection results keyed by the request Accept header without a size limit or eviction policy. A remote unauthenticated client could send many distinct but matching Accept header variants to make the cache grow unbounded. Under sustained load, this can exhaust the Node.js heap and crash the process.

References

cna.openjsf.org/security-advisories.html
github.com/advisories/GHSA-qxhc-wx3p-2wmg
github.com/fastify/fastify-accepts-serializer
github.com/fastify/fastify-accepts-serializer/security/advisories/GHSA-qxhc-wx3p-2wmg
nvd.nist.gov/vuln/detail/CVE-2026-7768

Code Behaviors & Features

Detect and mitigate CVE-2026-7768 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →