CVE-2026-35515

MEDIUM SEVERITY

Vulnerability Description

Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.18, SseStream._transform() interpolates message.type and message.id directly into Server-Sent Events text protocol output without sanitizing newline characters (\r, \n). Since the SSE protocol treats both \r and \n as field delimiters and \n\n as event boundaries, an attacker who can influence these fields through upstream data sources can inject arbitrary SSE events, spoof event types, and corrupt reconnection state. This vulnerability is fixed in 11.1.18.

Vulnerability Details

Published Date

April 06, 2026

Last Modified

April 08, 2026

CWE ID

CWE-74

Source

GitHub

Vendor

npm

Product

@nestjs/core

External References

https://github.com/nestjs/nest/security/advisories/GHSA-36xv-jgw5-4q75
https://github.com/nestjs/nest/pull/16686
https://github.com/nestjs/nest/commit/83558ae774a990a7916141d3abe0b6548ff3a8b2
https://github.com/nestjs/nest/releases/tag/v11.1.18
https://github.com/advisories/GHSA-36xv-jgw5-4q75

CVE-2026-35515

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment