Description
Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.19, when an attacker sends many small, valid JSON messages in one TCP frame, handleData() recurses once per message; the buffer shrinks each call. maxBufferSize is never reached; call stack overflows instead. A ~47 KB payload is sufficient to trigger RangeError. This vulnerability is fixed in 11.1.19.
Published: 2026-04-21
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via stack overflow
Action: Apply Patch
AI Analysis

Impact

A vulnerability in the Nest framework’s JsonSocket TCP transport causes handleData() to recurse once per incoming JSON message. When an attacker sends many small, valid JSON messages in a single TCP frame, the recursion depth grows until a RangeError is thrown, resulting in an application crash. This recursive overflow falls under CWE‑674 and leads to a denial‑of‑service impact.

Affected Systems

All versions of the Nest framework prior to 11.1.19 are affected. Users running any 11.x release before 11.1.19 should consider themselves vulnerable.

Risk and Exploitability

The CVSS score of 7.5 indicates a medium‑to‑high severity. Because no EPSS score is available, the exact likelihood of exploitation is unknown, but the flaw is reachable over an untrusted network via a crafted TCP frame, implying a potential remote DoS. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires only the ability to send data to the application’s TCP socket, so authentication is not needed and the attack can be performed from the Internet if the listener is exposed.

Generated by OpenCVE AI on April 22, 2026 at 05:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to NestJS 11.1.19 or later to apply the fixed recursion handling in handleData().
  • Configure the application or network to limit the size and rate of incoming TCP frames, ensuring that large or rapid JSON payloads cannot be processed. This can be achieved by setting a maximum frame size or by implementing rate limiting on JSON message reception.
  • Restrict access to the Nest server through firewall rules or network segmentation so that only trusted sources can reach the vulnerable TCP socket.

Generated by OpenCVE AI on April 22, 2026 at 05:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hpwf-8g29-85qm Nest Affected by DoS via Recursive handleData in JsonSocket (TCP Transport)
History

Fri, 24 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:nestjs:nest:*:*:*:*:*:node.js:*:*

Wed, 22 Apr 2026 04:30:00 +0000

Type Values Removed Values Added
First Time appeared Nestjs
Nestjs nest
Vendors & Products Nestjs
Nestjs nest

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.19, when an attacker sends many small, valid JSON messages in one TCP frame, handleData() recurses once per message; the buffer shrinks each call. maxBufferSize is never reached; call stack overflows instead. A ~47 KB payload is sufficient to trigger RangeError. This vulnerability is fixed in 11.1.19.
Title Nest: DoS via Recursive handleData in JsonSocket (TCP Transport)
Weaknesses CWE-674
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Nestjs Nest
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T19:38:04.805Z

Reserved: 2026-04-15T15:57:41.719Z

Link: CVE-2026-40879

cve-icon Vulnrichment

Updated: 2026-04-21T19:37:59.587Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T20:17:01.533

Modified: 2026-04-24T13:46:37.723

Link: CVE-2026-40879

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T05:45:09Z

Weaknesses