CVE-2026-35515
published 2026-04-07CVE-2026-35515: Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.18, SseStream._transform() interpolates message.type and message.id…
PriorityP431medium6.1CVSS 3.1
AVNACLPRNUIRSCCLINAL
EPSS
0.23%
14.2th percentile
Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.18, SseStream._transform() interpolates message.type and message.id directly into Server-Sent Events text protocol output without sanitizing newline characters (\r, \n). Since the SSE protocol treats both \r and \n as field delimiters and \n\n as event boundaries, an attacker who can influence these fields through upstream data sources can inject arbitrary SSE events, spoof event types, and corrupt reconnection state. This vulnerability is fixed in 11.1.18.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nestjs | core | >= 0 < 11.1.18 | 11.1.18 |
| nestjs | nest | < 11.1.18 | 11.1.18 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:L
nvdv4.06.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat6.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
@nestjs/core Improperly Neutralizes Special Elements in Output Used by a Downstream Component ('Injection')
ghsa·2026-04-06
CVE-2026-35515 [MEDIUM] CWE-74 @nestjs/core Improperly Neutralizes Special Elements in Output Used by a Downstream Component ('Injection')
@nestjs/core Improperly Neutralizes Special Elements in Output Used by a Downstream Component ('Injection')
### Impact
_What kind of vulnerability is it? Who is impacted?_
[`SseStream._transform()`](https://github.com/nestjs/nest/blob/dea5279ef8fcb568de158003e4281759a2cd7675/packages/core/router/sse-stream.ts) interpolates `message.type` and `message.id` directly into Server-Sent Events text protocol output without sanitizing newline characters (`\r`, `\n`). Since the SSE protocol treats both `\r` and `\n` as field delimiters and `\n\n` as event boundaries, an attacker who can influence these fields through upstream data sources can inject arbitrary SSE events, spoof event types, and corrupt reconnection state. Spring Framework's own security patch ([6e97587](https://github.com/spring-pr
OSV
@nestjs/core Improperly Neutralizes Special Elements in Output Used by a Downstream Component ('Injection')
osv·2026-04-06
CVE-2026-35515 [MEDIUM] @nestjs/core Improperly Neutralizes Special Elements in Output Used by a Downstream Component ('Injection')
@nestjs/core Improperly Neutralizes Special Elements in Output Used by a Downstream Component ('Injection')
### Impact
_What kind of vulnerability is it? Who is impacted?_
[`SseStream._transform()`](https://github.com/nestjs/nest/blob/dea5279ef8fcb568de158003e4281759a2cd7675/packages/core/router/sse-stream.ts) interpolates `message.type` and `message.id` directly into Server-Sent Events text protocol output without sanitizing newline characters (`\r`, `\n`). Since the SSE protocol treats both `\r` and `\n` as field delimiters and `\n\n` as event boundaries, an attacker who can influence these fields through upstream data sources can inject arbitrary SSE events, spoof event types, and corrupt reconnection state. Spring Framework's own security patch ([6e97587](https://github.com/spring-pr
Red Hat
@nestjs/core: Nest: Server-Sent Events (SSE) injection and spoofing via unsanitized newline characters
vendor_redhat·2026-04-07·CVSS 6.3
CVE-2026-35515 [MEDIUM] CWE-93 @nestjs/core: Nest: Server-Sent Events (SSE) injection and spoofing via unsanitized newline characters
@nestjs/core: Nest: Server-Sent Events (SSE) injection and spoofing via unsanitized newline characters
A flaw was found in Nest, a framework for building Node.js server-side applications. An attacker can exploit a vulnerability in the `SseStream._transform()` function by injecting newline characters into `message.type` and `message.id` fields. This allows the attacker to inject arbitrary Server-Sent Events (SSE), spoof event types, and corrupt the reconnection state, potentially leading to unexpected application behavior or denial of service.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Pa
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-35515 @nestjs/core: Nest: Server-Sent Events (SSE) injection and spoofing via unsanitized newline characters
bugzilla·2026-04-07·CVSS 6.3
CVE-2026-35515 [MEDIUM] CVE-2026-35515 @nestjs/core: Nest: Server-Sent Events (SSE) injection and spoofing via unsanitized newline characters
CVE-2026-35515 @nestjs/core: Nest: Server-Sent Events (SSE) injection and spoofing via unsanitized newline characters
Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.18, SseStream._transform() interpolates message.type and message.id directly into Server-Sent Events text protocol output without sanitizing newline characters (\r, \n). Since the SSE protocol treats both \r and \n as field delimiters and \n\n as event boundaries, an attacker who can influence these fields through upstream data sources can inject arbitrary SSE events, spoof event types, and corrupt reconnection state. This vulnerability is fixed in 11.1.18.
Wiz
CVE-2026-35515 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-35515 [MEDIUM] CVE-2026-35515 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35515 :
JavaScript vulnerability analysis and mitigation
## Impact
SseStream._transform()
message.type
message.id
\r
\n
\r
\n
\n\n
id
event
event:
EventSource.addEventListener()
data:
id:
Last-Event-ID
type
id
## Patches
@nestjs/[email protected]
Source : NVD
## 6.3
Score
Published April 6, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
@nestjs/core
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Apr 06, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what'
2026-04-07
Published