Nest.js CVE-2026-40879

HIGH
Uncontrolled Recursion (CWE-674)
2026-04-21 GitHub_M
Buffer Overflow Node.js
7.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Re-analysis Queued
Apr 22, 2026 - 21:37 vuln.today
cvss_changed
Analysis Generated
Apr 21, 2026 - 20:50 vuln.today

DescriptionNVD

Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.19, when an attacker sends many small, valid JSON messages in one TCP frame, handleData() recurses once per message; the buffer shrinks each call. maxBufferSize is never reached; call stack overflows instead. A ~47 KB payload is sufficient to trigger RangeError. This vulnerability is fixed in 11.1.19.

AnalysisAI

Remote attackers can crash Nest.js applications (versions prior to 11.1.19) by sending approximately 47 KB of fragmented JSON messages within a single TCP frame, triggering a call stack overflow. The handleData() function's recursive processing of small valid JSON messages causes stack exhaustion before maxBufferSize limits are enforced, resulting in RangeError and denial of service. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Identify all Nest.js instances in production and staging environments and document current versions. Within 7 days: Apply Nest.js patch to version 11.1.19 or later on all affected instances, beginning with non-production environments. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-40879 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy