Next AI Draw.io EUVD-2026-24217

| CVE-2026-40608 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-04-21 [email protected]
Denial Of Service Node.js
6.2
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Patch available
Apr 21, 2026 - 19:01 EUVD
Analysis Generated
Apr 21, 2026 - 18:49 vuln.today

DescriptionNVD

Next AI Draw.io is a next.js web application that integrates AI capabilities with draw.io diagrams. Prior to 0.4.15, the embedded HTTP sidecar contains three POST handlers (/api/state, /api/restore, and /api/history-svg) that process incoming requests by accumulating the entire request body into a JavaScript string without any size limitations. Node.js buffers the entire payload in the V8 heap. Sending a sufficiently large body (e.g., 500 MiB or more) will exhaust the process heap memory, leading to an Out-of-Memory (OOM) error that crashes the MCP server. This vulnerability is fixed in 0.4.15.

AnalysisAI

Denial of service in Next AI Draw.io prior to version 0.4.15 allows local attackers to crash the embedded HTTP sidecar by sending oversized request bodies to three POST endpoints (/api/state, /api/restore, /api/history-svg) without size limits, exhausting Node.js V8 heap memory and forcing an out-of-memory shutdown. CVSS 6.2 reflects local attack vector and high availability impact; no public exploit code confirmed at time of analysis.

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

EUVD-2026-24217 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy