{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40879", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-15T15:57:41.719Z", "datePublished": "2026-04-21T19:14:17.894Z", "dateUpdated": "2026-04-21T19:38:04.805Z"}, "containers": {"cna": {"title": "Nest: DoS via Recursive handleData in JsonSocket (TCP Transport)", "problemTypes": [{"descriptions": [{"cweId": "CWE-674", "lang": "en", "description": "CWE-674: Uncontrolled Recursion", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/nestjs/nest/security/advisories/GHSA-hpwf-8g29-85qm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nestjs/nest/security/advisories/GHSA-hpwf-8g29-85qm"}], "affected": [{"vendor": "nestjs", "product": "nest", "versions": [{"version": "< 11.1.19", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T19:14:17.894Z"}, "descriptions": [{"lang": "en", "value": "Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.19, when an attacker sends many small, valid JSON messages in one TCP frame, handleData() recurses once per message; the buffer shrinks each call. maxBufferSize is never reached; call stack overflows instead. A ~47 KB payload is sufficient to trigger RangeError. This vulnerability is fixed in 11.1.19."}], "source": {"advisory": "GHSA-hpwf-8g29-85qm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T19:37:57.073705Z", "id": "CVE-2026-40879", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:38:04.805Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40879", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T19:37:57.073705Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:37:59.587Z"}}], "cna": {"title": "Nest: DoS via Recursive handleData in JsonSocket (TCP Transport)", "source": {"advisory": "GHSA-hpwf-8g29-85qm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "nestjs", "product": "nest", "versions": [{"status": "affected", "version": "< 11.1.19"}]}], "references": [{"url": "https://github.com/nestjs/nest/security/advisories/GHSA-hpwf-8g29-85qm", "name": "https://github.com/nestjs/nest/security/advisories/GHSA-hpwf-8g29-85qm", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.19, when an attacker sends many small, valid JSON messages in one TCP frame, handleData() recurses once per message; the buffer shrinks each call. maxBufferSize is never reached; call stack overflows instead. A ~47 KB payload is sufficient to trigger RangeError. This vulnerability is fixed in 11.1.19."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-674", "description": "CWE-674: Uncontrolled Recursion"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T19:14:17.894Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40879", "state": "PUBLISHED", "dateUpdated": "2026-04-21T19:38:04.805Z", "dateReserved": "2026-04-15T15:57:41.719Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T19:14:17.894Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.19, when an attacker sends many small, valid JSON messages in one TCP frame, handleData() recurses once per message; the buffer shrinks each call. maxBufferSize is never reached; call stack overflows instead. A ~47 KB payload is sufficient to trigger RangeError. This vulnerability is fixed in 11.1.19."}], "id": "CVE-2026-40879", "lastModified": "2026-04-21T20:17:01.533", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T20:17:01.533", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/nestjs/nest/security/advisories/GHSA-hpwf-8g29-85qm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-674"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,11.1.19)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "nest", "source": "cna", "vendor": "nestjs"}, "product": "nest", "vendor": "nestjs"}], "analysis": {"en": {"generated_at": "2026-04-22T05:32:29.974306+00:00", "value": {"mitigation_remediation": ["Upgrade to NestJS\u202f11.1.19 or later to apply the fixed recursion handling in handleData().", "Configure the application or network to limit the size and rate of incoming TCP frames, ensuring that large or rapid JSON payloads cannot be processed. This can be achieved by setting a maximum frame size or by implementing rate limiting on JSON message reception.", "Restrict access to the Nest server through firewall rules or network segmentation so that only trusted sources can reach the vulnerable TCP socket."], "summary": {"action": "Apply Patch", "impact": "Denial of Service via stack overflow"}, "threat_synthesis": {"affected_systems": "All versions of the Nest framework prior to 11.1.19 are affected. Users running any 11.x release before 11.1.19 should consider themselves vulnerable.", "description_and_impact": "A vulnerability in the Nest framework\u2019s JsonSocket TCP transport causes handleData() to recurse once per incoming JSON message. When an attacker sends many small, valid JSON messages in a single TCP frame, the recursion depth grows until a RangeError is thrown, resulting in an application crash. This recursive overflow falls under CWE\u2011674 and leads to a denial\u2011of\u2011service impact.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a medium\u2011to\u2011high severity. Because no EPSS score is available, the exact likelihood of exploitation is unknown, but the flaw is reachable over an untrusted network via a crafted TCP frame, implying a potential remote DoS. The vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires only the ability to send data to the application\u2019s TCP socket, so authentication is not needed and the attack can be performed from the Internet if the listener is exposed."}}}}, "created": "2026-04-22T04:15:07.396127+00:00", "updated": "2026-04-22T05:45:09.819333+00:00", "vendors": ["nestjs", "nestjs$PRODUCT$nest"]}