Description
Next AI Draw.io is a next.js web application that integrates AI capabilities with draw.io diagrams. Prior to 0.4.15, the embedded HTTP sidecar contains three POST handlers (/api/state, /api/restore, and /api/history-svg) that process incoming requests by accumulating the entire request body into a JavaScript string without any size limitations. Node.js buffers the entire payload in the V8 heap. Sending a sufficiently large body (e.g., 500 MiB or more) will exhaust the process heap memory, leading to an Out-of-Memory (OOM) error that crashes the MCP server. This vulnerability is fixed in 0.4.15.
Published: 2026-04-21
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (out‑of‑memory crash)
Action: Apply Patch
AI Analysis

Impact

The flaw allows an attacker to send arbitrarily large POST request bodies to the /api/state, /api/restore and /api/history-svg endpoints of Next AI Draw.io. The application concatenates the entire request payload into a JavaScript string without any size check, causing Node.js to allocate the full size in the V8 heap. A request of roughly 500 MiB or more exhausts the process memory and triggers an Out‑of‑Memory error that crashes the service. This is a resource exhaustion vulnerability (CWE‑770).

Affected Systems

The vulnerability affects the Next AI Draw.io web application version 0.4.14 and earlier, hosted by the vendor DayuanJiang. Attackers can target the web service at any exposed instance of the application, specifically the three POST endpoints mentioned above.

Risk and Exploitability

The CVSS score of 6.2 denotes a moderate severity and the absence of an EPSS score indicates no publicly known exploitation frequency. The vulnerability is not listed in the CISA KEV catalog. The attack vector is remote, requiring only that an attacker can reach the HTTP endpoints; no authentication or local execution is needed. A successful exploitation results in a denial of service for all users of the affected instance and could potentially create a DoS cascade if multiple instances share resources.

Generated by OpenCVE AI on April 22, 2026 at 05:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Next AI Draw.io to version 0.4.15 or newer, which limits request body size and protects against OOM.
  • Configure the reverse‑proxy or application server to enforce a maximum request body size (for example, Nginx client_max_body_size or a similar directive) to prevent large payloads from reaching the application.
  • Enable application‑level resource limits or container memory quotas to contain any accidental memory exhaustion and to ensure the service can be restarted quickly if an OOM occurs.

Generated by OpenCVE AI on April 22, 2026 at 05:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Dayuanjiang
Dayuanjiang next-ai-draw-io
Vendors & Products Dayuanjiang
Dayuanjiang next-ai-draw-io

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Next AI Draw.io is a next.js web application that integrates AI capabilities with draw.io diagrams. Prior to 0.4.15, the embedded HTTP sidecar contains three POST handlers (/api/state, /api/restore, and /api/history-svg) that process incoming requests by accumulating the entire request body into a JavaScript string without any size limitations. Node.js buffers the entire payload in the V8 heap. Sending a sufficiently large body (e.g., 500 MiB or more) will exhaust the process heap memory, leading to an Out-of-Memory (OOM) error that crashes the MCP server. This vulnerability is fixed in 0.4.15.
Title Next AI Draw.io: Unbounded HTTP Body — Denial of Service
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Dayuanjiang Next-ai-draw-io
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T18:36:25.819Z

Reserved: 2026-04-14T14:07:59.642Z

Link: CVE-2026-40608

cve-icon Vulnrichment

Updated: 2026-04-21T18:36:10.209Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-21T18:16:52.280

Modified: 2026-04-22T21:24:26.997

Link: CVE-2026-40608

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:45:56Z

Weaknesses