Java
CVE-2026-35515
MEDIUM
Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Blast Radius
ecosystem impact- 20 npm packages depend on @nestjs/core (17 direct, 3 indirect)
Ecosystem-wide dependent count for version 11.1.18.
DescriptionGitHub Advisory
Impact
_What kind of vulnerability is it? Who is impacted?_
SseStream._transform() interpolates message.type and message.id directly into Server-Sent Events text protocol output without sanitizing newline characters (\r, \n). Since the SSE protocol treats both \r and \n as field delimiters and \n\n as event boundaries, an attacker who can influence these fields through upstream data sources can inject arbitrary SSE events, spoof event types, and corrupt reconnection state. Spring Framework's own security patch (6e97587) validates these same fields (id, event) for the same reason.
Actual impact:
- Event spoofing: Attacker forges SSE events with arbitrary
event:types, causing client-sideEventSource.addEventListener()callbacks to fire for wrong event types. - Data injection: Attacker injects arbitrary
data:payloads, potentially triggering XSS if the client renders SSE data as HTML without sanitization. - Reconnection corruption: Attacker injects
id:fields, corrupting theLast-Event-IDheader on reconnection, causing the client to miss or replay events. - Attack precondition: Requires the developer to map user-influenced data to the
typeoridfields of SSE messages. Direct HTTP request input does not reach these fields without developer code bridging the gap.
-
Patches
_Has the problem been patched? What versions should users upgrade to?_
Patched in @nestjs/core@11.1.18
AnalysisAI
NestJS Core's Server-Sent Events (SSE) stream handler fails to sanitize newline characters in message type and ID fields, allowing remote attackers to inject arbitrary SSE events, spoof event types, and corrupt client reconnection state. Affected versions prior to @nestjs/core@11.1.18 are vulnerable when developers map user-controlled data to SSE message type or id fields. This mirrors a vulnerability patched in Spring Framework and can lead to event spoofing, data injection with XSS potential, and reconnection state corruption if client applications render SSE data without additional sanitization.
Technical ContextAI
NestJS Core's SseStream._transform() method directly interpolates the message.type and message.id fields into Server-Sent Events text protocol output. The SSE protocol (RFC 9110 compatible) uses carriage returns (\r) and newlines (\n) as field delimiters and double newlines (\n\n) as event boundaries. When message.type or message.id contain newline characters, they break out of their intended field and create new fields or events in the protocol stream. The CWE-74 (Improper Neutralization of Special Elements in Output) classification reflects the lack of output encoding for protocol-specific delimiters. The npm package @nestjs/core provides the affected SseStream router component. This is functionally identical to the vulnerability patched in Spring Framework via commit 6e97587, which validates id and event fields to prevent protocol injection.
RemediationAI
Upgrade @nestjs/core to version 11.1.18 or later. This patched version sanitizes newline characters in message.type and message.id fields before interpolating them into SSE output. Users should update their package.json dependency and run npm install (or equivalent for yarn/pnpm). The patch is available via npm and GitHub release v11.1.18 at https://github.com/nestjs/nest/releases/tag/v11.1.18. The upstream fix is detailed in pull request https://github.com/nestjs/nest/pull/16686 and commit 83558ae774a990a7916141d3abe0b6548ff3a8b2. As a temporary mitigation for applications that cannot update immediately, developers should implement custom validation to reject or escape newline characters in any user-supplied data before assigning it to SSE message type or id fields.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Vendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-36xv-jgw5-4q75