Skip to main content

Java CVE-2026-35515

MEDIUM
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-04-06 https://github.com/nestjs/nest GHSA-36xv-jgw5-4q75
6.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Red Hat
6.5 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Apr 06, 2026 - 19:00 vuln.today
Patch released
Apr 06, 2026 - 19:00 nvd
Patch available
CVE Published
Apr 06, 2026 - 17:59 nvd
MEDIUM 6.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 20 npm packages depend on @nestjs/core (17 direct, 3 indirect)

Ecosystem-wide dependent count for version 11.1.18.

DescriptionGitHub Advisory

Impact

_What kind of vulnerability is it? Who is impacted?_

SseStream._transform() interpolates message.type and message.id directly into Server-Sent Events text protocol output without sanitizing newline characters (\r, \n). Since the SSE protocol treats both \r and \n as field delimiters and \n\n as event boundaries, an attacker who can influence these fields through upstream data sources can inject arbitrary SSE events, spoof event types, and corrupt reconnection state. Spring Framework's own security patch (6e97587) validates these same fields (id, event) for the same reason.

Actual impact:

  • Event spoofing: Attacker forges SSE events with arbitrary event: types, causing client-side EventSource.addEventListener() callbacks to fire for wrong event types.
  • Data injection: Attacker injects arbitrary data: payloads, potentially triggering XSS if the client renders SSE data as HTML without sanitization.
  • Reconnection corruption: Attacker injects id: fields, corrupting the Last-Event-ID header on reconnection, causing the client to miss or replay events.
  • Attack precondition: Requires the developer to map user-influenced data to the type or id fields of SSE messages. Direct HTTP request input does not reach these fields without developer code bridging the gap.

-

Patches

_Has the problem been patched? What versions should users upgrade to?_

Patched in @nestjs/core@11.1.18

AnalysisAI

NestJS Core's Server-Sent Events (SSE) stream handler fails to sanitize newline characters in message type and ID fields, allowing remote attackers to inject arbitrary SSE events, spoof event types, and corrupt client reconnection state. Affected versions prior to @nestjs/core@11.1.18 are vulnerable when developers map user-controlled data to SSE message type or id fields. This mirrors a vulnerability patched in Spring Framework and can lead to event spoofing, data injection with XSS potential, and reconnection state corruption if client applications render SSE data without additional sanitization.

Technical ContextAI

NestJS Core's SseStream._transform() method directly interpolates the message.type and message.id fields into Server-Sent Events text protocol output. The SSE protocol (RFC 9110 compatible) uses carriage returns (\r) and newlines (\n) as field delimiters and double newlines (\n\n) as event boundaries. When message.type or message.id contain newline characters, they break out of their intended field and create new fields or events in the protocol stream. The CWE-74 (Improper Neutralization of Special Elements in Output) classification reflects the lack of output encoding for protocol-specific delimiters. The npm package @nestjs/core provides the affected SseStream router component. This is functionally identical to the vulnerability patched in Spring Framework via commit 6e97587, which validates id and event fields to prevent protocol injection.

RemediationAI

Upgrade @nestjs/core to version 11.1.18 or later. This patched version sanitizes newline characters in message.type and message.id fields before interpolating them into SSE output. Users should update their package.json dependency and run npm install (or equivalent for yarn/pnpm). The patch is available via npm and GitHub release v11.1.18 at https://github.com/nestjs/nest/releases/tag/v11.1.18. The upstream fix is detailed in pull request https://github.com/nestjs/nest/pull/16686 and commit 83558ae774a990a7916141d3abe0b6548ff3a8b2. As a temporary mitigation for applications that cannot update immediately, developers should implement custom validation to reject or escape newline characters in any user-supplied data before assigning it to SSE message type or id fields.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Vendor StatusVendor

Share

CVE-2026-35515 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy