{
  "threat_severity" : "Low",
  "public_date" : "2026-02-03T21:21:35Z",
  "bugzilla" : {
    "description" : "Fastify: Fastify: Denial of Service via unbounded buffering in Web Streams response handling",
    "id" : "2436557",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2436557"
  },
  "cvss3" : {
    "cvss3_base_score" : "3.7",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
    "status" : "draft"
  },
  "cwe" : "CWE-770",
  "details" : [ "Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation. This issue has been patched in version 5.7.3.", "A flaw was found in Fastify. A remote client can exploit this denial-of-service vulnerability by sending a slow or non-reading request when the application returns a ReadableStream (or Response with a Web Stream body) via reply.send(). This can lead to unbounded buffering, exhausting server memory. The consequence is a Denial of Service (DoS), potentially causing process crashes or severe degradation of the server." ],
  "statement" : "LOW. A denial-of-service flaw exists in Fastify's Web Streams response handling. This issue can lead to unbounded buffering and memory exhaustion when a remote client sends a slow or non-reading request to an application that uses `reply.send()` with a `ReadableStream` or `Response` with a Web Stream body. Red Hat products utilizing Fastify in this configuration are affected.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Fix deferred",
    "package_name" : "rhelai3/bootc-cuda-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Fix deferred",
    "package_name" : "rhelai3/disk-image-cuda-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Fix deferred",
    "package_name" : "rhoai/odh-dashboard-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Fix deferred",
    "package_name" : "rhoai/odh-dashboard-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Fix deferred",
    "package_name" : "rhoai/odh-mod-arch-gen-ai-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Fix deferred",
    "package_name" : "rhoai/odh-mod-arch-model-registry-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces",
    "fix_state" : "Fix deferred",
    "package_name" : "devspaces/dashboard-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-25224\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-25224\nhttps://github.com/fastify/fastify/commit/eb11156396f6a5fedaceed0140aed2b7f026be37\nhttps://github.com/fastify/fastify/security/advisories/GHSA-mrq3-vjjr-p77c\nhttps://hackerone.com/reports/3524779" ],
  "name" : "CVE-2026-25224",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}