CVE-2026-35515
Published:April 07, 2026
Updated:April 20, 2026
Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.18, SseStream._transform() interpolates message.type and message.id directly into Server-Sent Events text protocol output without sanitizing newline characters (\r, \n). Since the SSE protocol treats both \r and \n as field delimiters and \n\n as event boundaries, an attacker who can influence these fields through upstream data sources can inject arbitrary SSE events, spoof event types, and corrupt reconnection state. This vulnerability is fixed in 11.1.18.
Affected Packages
https://github.com/nestjs/nest.git (GITHUB):
Affected version(s) >=v4.4.0 <v11.1.18Fix Suggestion:
Update to version v11.1.18@nestjs/core (NPM):
Affected version(s) >=1.0.2 <11.1.18Fix Suggestion:
Update to version 11.1.18Related Resources (6)
Do you need more information?
Contact UsCVSS v4
Base Score:
6.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
PRESENT
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
LOW
Vulnerable System Availability
LOW
Subsequent System Confidentiality
NONE
Subsequent System Integrity
LOW
Subsequent System Availability
NONE
CVSS v3
Base Score:
7.2
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality
NONE
Integrity
LOW
Availability
LOW
Weakness Type (CWE)
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
EPSS
Base Score:
0.02
