367 matches found
Nest Affected by DoS via Recursive handleData in JsonSocket (TCP Transport)
Impact Attacker sends many small, valid JSON messages in one TCP frame → handleData recurses once per message; buffer shrinks each call → maxBufferSize is never reached; call stack overflows instead → A 47 KB payload is sufficient to trigger RangeError Patches Fixed in @nestjs/[email protected]....
CVE-2026-35515 @nestjs/core Improperly Neutralizes Special Elements in Output Used by a Downstream Component ('Injection')
Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.18, SseStream.transform interpolates message.type and message.id directly into Server-Sent Events text protocol output without sanitizing newline characters \r, \n. Since the SSE protocol treats both \r and ...
nest 注入漏洞
Nest is a Node.js framework developed by NestJS, aimed at building efficient, scalable, and enterprise-level server-side applications using TypeScript/JavaScript. Prior to version 11.1.18, Nest had an injection vulnerability. This vulnerability stemmed from the SseStream.transform function, which...
GHSA-36XV-JGW5-4Q75 @nestjs/core Improperly Neutralizes Special Elements in Output Used by a Downstream Component ('Injection')
Impact What kind of vulnerability is it? Who is impacted? SseStream.transform interpolates message.type and message.id directly into Server-Sent Events text protocol output without sanitizing newline characters \r, \n. Since the SSE protocol treats both \r and \n as field delimiters and \n\n as...
@nestjs/core Improperly Neutralizes Special Elements in Output Used by a Downstream Component ('Injection')
Impact What kind of vulnerability is it? Who is impacted? SseStream.transform interpolates message.type and message.id directly into Server-Sent Events text protocol output without sanitizing newline characters \r, \n. Since the SSE protocol treats both \r and \n as field delimiters and \n\n as...
@afidos/nestjs-event-notifications (>=2.2.1 <=2.2.2), @mieweb/wikigdrive (>=2.15.0 <=2.17.1) +3 more potentially affected by CVE-2026-34217 via @nyariv/sandboxjs (>=0.5.3 <=0.8.25)
@nyariv/sandboxjs NPM version =0.5.3, =2.2.1, =2.15.0, =0.2.0, =11.0.0, =12.0.1 Source cves: CVE-2026-34217 Source advisory: SNYK:JS-NYARIVSANDBOXJS-15909756...
@afidos/nestjs-event-notifications (>=2.2.1 <=2.2.2), @mieweb/wikigdrive (>=2.15.0 <=2.17.1) +3 more potentially affected by CVE-2026-34208 via @nyariv/sandboxjs (>=0.5.3 <=0.8.25)
@nyariv/sandboxjs NPM version =0.5.3, =2.2.1, =2.15.0, =0.2.0, =11.0.0, =12.0.1 Source cves: CVE-2026-34208 Source advisory: OSV:GHSA-2GG9-6P7W-6CPJ...
@afidos/nestjs-event-notifications (>=2.2.1 <=2.2.2), @mieweb/wikigdrive (>=2.15.0 <=2.17.1) +3 more potentially affected by CVE-2026-34208 via @nyariv/sandboxjs (>=0.5.3 <=0.8.25)
@nyariv/sandboxjs NPM version =0.5.3, =2.2.1, =2.15.0, =0.2.0, =11.0.0, =12.0.1 Source cves: CVE-2026-34208 Source advisory: SNYK:JS-NYARIVSANDBOXJS-15909755...
CVE-2026-33011
Nest is a framework for building scalable Node.js server-side applications. In versions 11.1.15 and below, a NestJS application using @nestjs/platform-fastify GET middleware can be bypassed because Fastify automatically redirects HEAD requests to the corresponding GET handlers if they exist. As a...
CVE-2026-33011 Nest Fastify HEAD Request Middleware Bypass
Nest is a framework for building scalable Node.js server-side applications. In versions 11.1.15 and below, a NestJS application using @nestjs/platform-fastify GET middleware can be bypassed because Fastify automatically redirects HEAD requests to the corresponding GET handlers if they exist. As a...
CVE-2026-33011 Nest Fastify HEAD Request Middleware Bypass
Nest is a framework for building scalable Node.js server-side applications. In versions 11.1.15 and below, a NestJS application using @nestjs/platform-fastify GET middleware can be bypassed because Fastify automatically redirects HEAD requests to the corresponding GET handlers if they exist. As a...
GHSA-WF42-42FG-FG84 Nest Fastify HEAD Request Middleware Bypass
Impact In a NestJS application using @nestjs/platform-fastify, GET middleware can be bypassed because Fastify automatically redirects HEAD requests to the corresponding GET handlers if they exist. As a result: - Middleware will be completely skipped. - The HTTP response won't include a body since...
Always-Incorrect Control Flow Implementation
Overview @nestjs/core is a Nest - modern, fast, powerful node.js web framework @core Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation when handling a @nestjs/platform-fastify HEAD request. An attacker can bypass middleware logic by sending malicious...
org.webjars.npm:browser-sync-ui (=2.27.11), org.webjars.npm:nestjs__platform-socket.io (=9.0.0-next.2) +3 more potentially affected by CVE-2026-33151 via org.webjars.npm:socket.io-parser (>=2.3.1 <=4.2.5)
org.webjars.npm:socket.io-parser MAVEN version =2.3.1, =0.3.1, =0.5.0 - org.webjars.npm:socket.io-client =4.8.3 Source cves: CVE-2026-33151 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-15680279...
@afidos/nestjs-event-notifications (>=2.2.1 <=2.2.2), @mieweb/wikigdrive (>=2.15.0 <=2.17.1) +3 more potentially affected by CVE-2026-26954 via @nyariv/sandboxjs (>=0.5.3 <=0.8.25)
@nyariv/sandboxjs NPM version =0.5.3, =2.2.1, =2.15.0, =0.2.0, =11.0.0, =12.0.1 Source cves: CVE-2026-26954 Source advisory: SNYK:JS-NYARIVSANDBOXJS-15518695...
org.webjars.npm:nestjs__platform-express (>=8.4.7 <=9.0.0-next.2) potentially affected by CVE-2026-3520 via org.webjars.npm:multer (=1.4.4-lts.1)
org.webjars.npm:multer MAVEN version =1.4.4-lts.1 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:multer and may be impacted: - org.webjars.npm:nestjsplatform-express =8.4.7, =9.0.0-next.2 Source cves: CVE-2026-3520 Source advisory:...
4591-libs (>=0.0.1 <=0.2.0), @10abdullahbutt/nestjs-boilerplate (=0.0.1) +1489 more potentially affected by CVE-2026-3520 via multer (>=2.0.0-alpha.2 <=2.1.0)
multer NPM version =2.0.0-alpha.2, =0.0.1, =0.0.1-alpha.1, =0.0.1-alpha.9, =0.0.0-alpha.119, =1.2.1, =0.0.1, =1.0.0, =0.1.1, =0.0.1, =0.0.1, =0.0.1, =0.1.0, =0.0.2, =0.0.10, =0.6.2 and more Source cves: CVE-2026-3520 Source advisory: SNYK:JS-MULTER-15417528...
GHSA-R4WM-X892-VJMX Nest has a Fastify URL Encoding Middleware Bypass
Impact What kind of vulnerability is it? Who is impacted? A NestJS application using @nestjs/platform-fastify can allow bypass of any middleware when Fastify path-normalization options e.g., ignoreTrailingSlash, ignoreDuplicateSlashes, useSemicolonDelimiter are enabled. In affected route-scoped...
Nest has a Fastify URL Encoding Middleware Bypass
Impact What kind of vulnerability is it? Who is impacted? A NestJS application using @nestjs/platform-fastify can allow bypass of any middleware when Fastify path-normalization options e.g., ignoreTrailingSlash, ignoreDuplicateSlashes, useSemicolonDelimiter are enabled. In affected route-scoped...
CVE-2026-2293
A flaw was found in NestJS. When a NestJS application uses @nestjs/platform-fastify with Fastify path-normalization options enabled, a remote attacker can exploit this to bypass authentication and authorization middleware. This bypass allows unauthorized access to protected resources, compromisin...