chore(deps): update dependency fastify to v5.7.3 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
fastify (source)	5.7.2 → 5.7.3

GitHub Vulnerability Alerts

CVE-2026-25224

Impact

A Denial of Service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation.

Patches

The issue is fixed in Fastify 5.7.3. Users should upgrade to 5.7.3 or later.

Workarounds

Avoid sending Web Streams from Fastify responses (e.g., ReadableStream or Response bodies). Use Node.js streams (stream.Readable) or buffered payloads instead until the project can upgrade.

References

• https://hackerone.com/reports/3524779

---

Fastify Vulnerable to DoS via Unbounded Memory Allocation in sendWebStream

CVE-2026-25224 / GHSA-mrq3-vjjr-p77c

More information

Details

Impact

A Denial of Service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation.

Patches

The issue is fixed in Fastify 5.7.3. Users should upgrade to 5.7.3 or later.

Workarounds

Avoid sending Web Streams from Fastify responses (e.g., ReadableStream or Response bodies). Use Node.js streams (stream.Readable) or buffered payloads instead until the project can upgrade.

References

• https://hackerone.com/reports/3524779

Severity

• CVSS Score: 3.7 / 10 (Low)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

References

• https://github.com/fastify/fastify/security/advisories/GHSA-mrq3-vjjr-p77c
• https://nvd.nist.gov/vuln/detail/CVE-2026-25224
• https://github.com/fastify/fastify/commit/eb11156396f6a5fedaceed0140aed2b7f026be37
• https://hackerone.com/reports/3524779
• https://github.com/fastify/fastify

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

fastify/fastify (fastify)

v5.7.3

Compare Source

⚠️ Security Release

• Fix GHSA-mrq3-vjjr-p77c CVE-2026-25224.

What's Changed

• docs: update Reply.send() documentation for string serialization by @​mcollina in #​6466
• chore: ignore agents config files by @​mcollina in #​6474
• docs: update vulnerability reporting to use GitHub Security by @​mcollina in #​6475

Full Changelog: fastify/fastify@v5.7.2...v5.7.3

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🏷️ Required labels (at least one) (1)

• review

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

• 🔍 Trigger a full review

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}