A memory exhaustion vulnerability in @fastify/accepts-serializer poses a significant risk of denial-of-service for applications relying on this library.

The vulnerability involves an unbounded cache mechanism keyed by the request Accept header. An unauthenticated attacker can trigger a denial-of-service condition by flooding the service with arbitrary Accept headers, leading to excessive memory consumption.

With a CVSS score of 7.5, this high-severity vulnerability allows attackers to crash critical web services by exhausting server memory resources. Successful exploitation results in significant system downtime, disrupting business operations and availability for legitimate users.

Immediate Action: Upgrade the @fastify/accepts-serializer package to the latest patched version provided by the vendor.

Proactive Monitoring: Monitor server memory usage trends and review web server logs for an unusual volume of requests containing diverse or randomized Accept headers.

Compensating Controls: Implement rate limiting at the Web Application Firewall (WAF) or load balancer level to restrict the volume of requests from individual clients, thereby mitigating the impact of potential memory exhaustion.

Public Exploit Available: false

Given the ease with which an unauthenticated actor could trigger a service crash, immediate remediation is required. Security teams should prioritize patching this dependency to prevent availability degradation and ensure service stability.