Lucene search
K

367 matches found

Github Security Blog
Github Security Blog
added 2026/04/14 12:15 a.m.7 views

Nest Affected by DoS via Recursive handleData in JsonSocket (TCP Transport)

Impact Attacker sends many small, valid JSON messages in one TCP frame → handleData recurses once per message; buffer shrinks each call → maxBufferSize is never reached; call stack overflows instead → A 47 KB payload is sufficient to trigger RangeError Patches Fixed in @nestjs/[email protected]....

7.5CVSS6AI score0.00329EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 2026/04/07 3:6 p.m.16 views

CVE-2026-35515 @nestjs/core Improperly Neutralizes Special Elements in Output Used by a Downstream Component ('Injection')

Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.18, SseStream.transform interpolates message.type and message.id directly into Server-Sent Events text protocol output without sanitizing newline characters \r, \n. Since the SSE protocol treats both \r and ...

6.3CVSS0.00234EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/04/07 12:0 a.m.8 views

nest 注入漏洞

Nest is a Node.js framework developed by NestJS, aimed at building efficient, scalable, and enterprise-level server-side applications using TypeScript/JavaScript. Prior to version 11.1.18, Nest had an injection vulnerability. This vulnerability stemmed from the SseStream.transform function, which...

6.3CVSS5.9AI score0.00234EPSS
Exploits0References1
OSV
OSV
added 2026/04/06 5:59 p.m.3 views

GHSA-36XV-JGW5-4Q75 @nestjs/core Improperly Neutralizes Special Elements in Output Used by a Downstream Component ('Injection')

Impact What kind of vulnerability is it? Who is impacted? SseStream.transform interpolates message.type and message.id directly into Server-Sent Events text protocol output without sanitizing newline characters \r, \n. Since the SSE protocol treats both \r and \n as field delimiters and \n\n as...

6.3CVSS6.1AI score0.00234EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added 2026/04/06 5:59 p.m.18 views

@nestjs/core Improperly Neutralizes Special Elements in Output Used by a Downstream Component ('Injection')

Impact What kind of vulnerability is it? Who is impacted? SseStream.transform interpolates message.type and message.id directly into Server-Sent Events text protocol output without sanitizing newline characters \r, \n. Since the SSE protocol treats both \r and \n as field delimiters and \n\n as...

6.3CVSS6.1AI score0.00234EPSS
Exploits0References6Affected Software1
vulnersOsv
vulnersOsv
added 2026/04/03 9:45 p.m.8 views

@afidos/nestjs-event-notifications (>=2.2.1 <=2.2.2), @mieweb/wikigdrive (>=2.15.0 <=2.17.1) +3 more potentially affected by CVE-2026-34217 via @nyariv/sandboxjs (>=0.5.3 <=0.8.25)

@nyariv/sandboxjs NPM version =0.5.3, =2.2.1, =2.15.0, =0.2.0, =11.0.0, =12.0.1 Source cves: CVE-2026-34217 Source advisory: SNYK:JS-NYARIVSANDBOXJS-15909756...

7.2CVSS5.8AI score0.00292EPSS
Exploits1
vulnersOsv
vulnersOsv
added 2026/04/03 9:44 p.m.7 views

@afidos/nestjs-event-notifications (>=2.2.1 <=2.2.2), @mieweb/wikigdrive (>=2.15.0 <=2.17.1) +3 more potentially affected by CVE-2026-34208 via @nyariv/sandboxjs (>=0.5.3 <=0.8.25)

@nyariv/sandboxjs NPM version =0.5.3, =2.2.1, =2.15.0, =0.2.0, =11.0.0, =12.0.1 Source cves: CVE-2026-34208 Source advisory: OSV:GHSA-2GG9-6P7W-6CPJ...

10CVSS5.8AI score0.00561EPSS
Exploits1
vulnersOsv
vulnersOsv
added 2026/04/03 9:44 p.m.9 views

@afidos/nestjs-event-notifications (>=2.2.1 <=2.2.2), @mieweb/wikigdrive (>=2.15.0 <=2.17.1) +3 more potentially affected by CVE-2026-34208 via @nyariv/sandboxjs (>=0.5.3 <=0.8.25)

@nyariv/sandboxjs NPM version =0.5.3, =2.2.1, =2.15.0, =0.2.0, =11.0.0, =12.0.1 Source cves: CVE-2026-34208 Source advisory: SNYK:JS-NYARIVSANDBOXJS-15909755...

10CVSS5.8AI score0.00561EPSS
Exploits1
RedhatCVE
RedhatCVE
added 2026/03/26 3:0 p.m.7 views

CVE-2026-33011

Nest is a framework for building scalable Node.js server-side applications. In versions 11.1.15 and below, a NestJS application using @nestjs/platform-fastify GET middleware can be bypassed because Fastify automatically redirects HEAD requests to the corresponding GET handlers if they exist. As a...

8.7CVSS5.8AI score0.00346EPSS
Exploits0References1
OSV
OSV
added 2026/03/20 4:37 a.m.8 views

CVE-2026-33011 Nest Fastify HEAD Request Middleware Bypass

Nest is a framework for building scalable Node.js server-side applications. In versions 11.1.15 and below, a NestJS application using @nestjs/platform-fastify GET middleware can be bypassed because Fastify automatically redirects HEAD requests to the corresponding GET handlers if they exist. As a...

8.7CVSS5.8AI score0.00346EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/03/20 4:37 a.m.40 views

CVE-2026-33011 Nest Fastify HEAD Request Middleware Bypass

Nest is a framework for building scalable Node.js server-side applications. In versions 11.1.15 and below, a NestJS application using @nestjs/platform-fastify GET middleware can be bypassed because Fastify automatically redirects HEAD requests to the corresponding GET handlers if they exist. As a...

8.7CVSS0.00346EPSS
Exploits0References3
OSV
OSV
added 2026/03/17 6:38 p.m.5 views

GHSA-WF42-42FG-FG84 Nest Fastify HEAD Request Middleware Bypass

Impact In a NestJS application using @nestjs/platform-fastify, GET middleware can be bypassed because Fastify automatically redirects HEAD requests to the corresponding GET handlers if they exist. As a result: - Middleware will be completely skipped. - The HTTP response won't include a body since...

8.7CVSS5.8AI score0.00346EPSS
Exploits0References5
Snyk
Snyk
added 2026/03/17 6:38 p.m.6 views

Always-Incorrect Control Flow Implementation

Overview @nestjs/core is a Nest - modern, fast, powerful node.js web framework @core Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation when handling a @nestjs/platform-fastify HEAD request. An attacker can bypass middleware logic by sending malicious...

8.7CVSS5.8AI score0.00346EPSS
Exploits0References2
vulnersOsv
vulnersOsv
added 2026/03/17 3:5 p.m.6 views

org.webjars.npm:browser-sync-ui (=2.27.11), org.webjars.npm:nestjs__platform-socket.io (=9.0.0-next.2) +3 more potentially affected by CVE-2026-33151 via org.webjars.npm:socket.io-parser (>=2.3.1 <=4.2.5)

org.webjars.npm:socket.io-parser MAVEN version =2.3.1, =0.3.1, =0.5.0 - org.webjars.npm:socket.io-client =4.8.3 Source cves: CVE-2026-33151 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-15680279...

8.7CVSS5.8AI score0.00514EPSS
Exploits0
vulnersOsv
vulnersOsv
added 2026/03/13 1:46 p.m.6 views

@afidos/nestjs-event-notifications (>=2.2.1 <=2.2.2), @mieweb/wikigdrive (>=2.15.0 <=2.17.1) +3 more potentially affected by CVE-2026-26954 via @nyariv/sandboxjs (>=0.5.3 <=0.8.25)

@nyariv/sandboxjs NPM version =0.5.3, =2.2.1, =2.15.0, =0.2.0, =11.0.0, =12.0.1 Source cves: CVE-2026-26954 Source advisory: SNYK:JS-NYARIVSANDBOXJS-15518695...

10CVSS5.8AI score0.00547EPSS
Exploits1
vulnersOsv
vulnersOsv
added 2026/03/04 6:27 p.m.14 views

org.webjars.npm:nestjs__platform-express (>=8.4.7 <=9.0.0-next.2) potentially affected by CVE-2026-3520 via org.webjars.npm:multer (=1.4.4-lts.1)

org.webjars.npm:multer MAVEN version =1.4.4-lts.1 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:multer and may be impacted: - org.webjars.npm:nestjsplatform-express =8.4.7, =9.0.0-next.2 Source cves: CVE-2026-3520 Source advisory:...

8.7CVSS5.8AI score0.00713EPSS
Exploits0
vulnersOsv
vulnersOsv
added 2026/03/04 6:27 p.m.6 views

4591-libs (>=0.0.1 <=0.2.0), @10abdullahbutt/nestjs-boilerplate (=0.0.1) +1489 more potentially affected by CVE-2026-3520 via multer (>=2.0.0-alpha.2 <=2.1.0)

multer NPM version =2.0.0-alpha.2, =0.0.1, =0.0.1-alpha.1, =0.0.1-alpha.9, =0.0.0-alpha.119, =1.2.1, =0.0.1, =1.0.0, =0.1.1, =0.0.1, =0.0.1, =0.0.1, =0.1.0, =0.0.2, =0.0.10, =0.6.2 and more Source cves: CVE-2026-3520 Source advisory: SNYK:JS-MULTER-15417528...

8.7CVSS5.7AI score0.00713EPSS
Exploits0
OSV
OSV
added 2026/03/02 2:34 p.m.3 views

GHSA-R4WM-X892-VJMX Nest has a Fastify URL Encoding Middleware Bypass

Impact What kind of vulnerability is it? Who is impacted? A NestJS application using @nestjs/platform-fastify can allow bypass of any middleware when Fastify path-normalization options e.g., ignoreTrailingSlash, ignoreDuplicateSlashes, useSemicolonDelimiter are enabled. In affected route-scoped...

8.2CVSS6.1AI score0.00666EPSS
Exploits1References6
Github Security Blog
Github Security Blog
added 2026/03/02 2:34 p.m.13 views

Nest has a Fastify URL Encoding Middleware Bypass

Impact What kind of vulnerability is it? Who is impacted? A NestJS application using @nestjs/platform-fastify can allow bypass of any middleware when Fastify path-normalization options e.g., ignoreTrailingSlash, ignoreDuplicateSlashes, useSemicolonDelimiter are enabled. In affected route-scoped...

9.8CVSS6.1AI score0.00666EPSS
Exploits1References6Affected Software1
RedhatCVE
RedhatCVE
added 2026/03/02 12:37 p.m.7 views

CVE-2026-2293

A flaw was found in NestJS. When a NestJS application uses @nestjs/platform-fastify with Fastify path-normalization options enabled, a remote attacker can exploit this to bypass authentication and authorization middleware. This bypass allows unauthorized access to protected resources, compromisin...

8.2CVSS5.9AI score0.00666EPSS
Exploits1References6
Rows per page
Query Builder