Описание
Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation. This issue has been patched in version 5.7.3.
A flaw was found in Fastify. A remote client can exploit this denial-of-service vulnerability by sending a slow or non-reading request when the application returns a ReadableStream (or Response with a Web Stream body) via reply.send(). This can lead to unbounded buffering, exhausting server memory. The consequence is a Denial of Service (DoS), potentially causing process crashes or severe degradation of the server.
Отчет
LOW. A denial-of-service flaw exists in Fastify's Web Streams response handling. This issue can lead to unbounded buffering and memory exhaustion when a remote client sends a slow or non-reading request to an application that uses reply.send() with a ReadableStream or Response with a Web Stream body. Red Hat products utilizing Fastify in this configuration are affected.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux AI (RHEL AI) 3 | rhelai3/bootc-cuda-rhel9 | Fix deferred | ||
| Red Hat Enterprise Linux AI (RHEL AI) 3 | rhelai3/disk-image-cuda-rhel9 | Fix deferred | ||
| Red Hat OpenShift AI (RHOAI) | rhoai/odh-dashboard-rhel8 | Fix deferred | ||
| Red Hat OpenShift AI (RHOAI) | rhoai/odh-dashboard-rhel9 | Fix deferred | ||
| Red Hat OpenShift AI (RHOAI) | rhoai/odh-mod-arch-gen-ai-rhel9 | Fix deferred | ||
| Red Hat OpenShift AI (RHOAI) | rhoai/odh-mod-arch-model-registry-rhel9 | Fix deferred | ||
| Red Hat OpenShift Dev Spaces | devspaces/dashboard-rhel9 | Fix deferred |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
3.7 Low
CVSS3
Связанные уязвимости
Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation. This issue has been patched in version 5.7.3.
Fastify Vulnerable to DoS via Unbounded Memory Allocation in sendWebStream
3.7 Low
CVSS3