Description
Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.18, SseStream._transform() interpolates message.type and message.id directly into Server-Sent Events text protocol output without sanitizing newline characters (\r, \n). Since the SSE protocol treats both \r and \n as field delimiters and \n\n as event boundaries, an attacker who can influence these fields through upstream data sources can inject arbitrary SSE events, spoof event types, and corrupt reconnection state. This vulnerability is fixed in 11.1.18.
Published: 2026-04-07
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Event Injection, Potential Data Manipulation
Action: Immediate Patch
AI Analysis

Impact

NestJS interpolates message.type and message.id directly into Server-Sent Events text protocol output without stripping newline characters. The SSE protocol interprets carriage return and line feed as field delimiters and consecutive line feeds as event boundaries. An attacker who can influence these fields can therefore inject arbitrary SSE events, spoof event types, and corrupt the reconnection state sent to downstream clients. This exploit allows the attacker to send malicious event data to browsers or other consumers of the stream, potentially leading to data manipulation or unintended application behavior.

Affected Systems

NestJS framework versions prior to 11.1.18 are affected. The vulnerability was discovered in the nestjs:nest product. Any application using these versions without applying the 11.1.18 update or higher is vulnerable.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity. The EPSS score of less than one percent suggests a low likelihood of exploitation in the wild, and the vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. The attack requires an attacker to inject newline characters via the message.type or message.id fields, implying that the threat vector is upstream data manipulation, such as through a crafted request or injected content in the message pipeline. When successful, the attacker can inject custom SSE events and potentially undermine client trust or cause unintended data flow.

Generated by OpenCVE AI on April 9, 2026 at 01:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the NestJS framework to version 11.1.18 or later.
  • Verify that all dependent packages are updated in accordance with the new framework version.
  • After upgrading, restart all services that depend on the NestJS framework to ensure the patch is applied.

Generated by OpenCVE AI on April 9, 2026 at 01:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-36xv-jgw5-4q75 @nestjs/core Improperly Neutralizes Special Elements in Output Used by a Downstream Component ('Injection')
History

Fri, 17 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:nestjs:nest:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:L'}

Thu, 09 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-93
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

threat_severity

Moderate

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Nestjs
Nestjs nest
Vendors & Products Nestjs
Nestjs nest

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.18, SseStream._transform() interpolates message.type and message.id directly into Server-Sent Events text protocol output without sanitizing newline characters (\r, \n). Since the SSE protocol treats both \r and \n as field delimiters and \n\n as event boundaries, an attacker who can influence these fields through upstream data sources can inject arbitrary SSE events, spoof event types, and corrupt reconnection state. This vulnerability is fixed in 11.1.18.
Title @nestjs/core Improperly Neutralizes Special Elements in Output Used by a Downstream Component ('Injection')
Weaknesses CWE-74
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Nestjs Nest
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T15:58:37.067Z

Reserved: 2026-04-03T02:15:39.280Z

Link: CVE-2026-35515

cve-icon Vulnrichment

Updated: 2026-04-07T15:49:00.468Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T16:16:27.773

Modified: 2026-04-17T20:36:10.247

Link: CVE-2026-35515

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-07T15:06:10Z

Links: CVE-2026-35515 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:28:45Z

Weaknesses