CVE-2026-40879
published 2026-04-21CVE-2026-40879: Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.19, when an attacker sends many small, valid JSON messages in one TCP…
PriorityP342high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.33%
24.7th percentile
Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.19, when an attacker sends many small, valid JSON messages in one TCP frame, handleData() recurses once per message; the buffer shrinks each call. maxBufferSize is never reached; call stack overflows instead. A ~47 KB payload is sufficient to trigger RangeError. This vulnerability is fixed in 11.1.19.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nestjs | microservices | >= 0 < 11.1.19 | 11.1.19 |
| nestjs | nest | < 11.1.19 | 11.1.19 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
nestjs nest up to 11.1.18 JSON Message handleData recursion (GHSA-hpwf-8g29-85qm)
vuldb·2026-04-21·CVSS 7.5
CVE-2026-40879 [HIGH] nestjs nest up to 11.1.18 JSON Message handleData recursion (GHSA-hpwf-8g29-85qm)
A vulnerability categorized as problematic has been discovered in nestjs nest up to 11.1.18. Affected by this issue is the function handleData of the component JSON Message Handler. The manipulation results in uncontrolled recursion.
This vulnerability is known as CVE-2026-40879. It is possible to launch the attack remotely. No exploit is available.
It is advisable to upgrade the affected component.
GHSA
Nest Affected by DoS via Recursive handleData in JsonSocket (TCP Transport)
ghsa·2026-04-14
CVE-2026-40879 [HIGH] CWE-770 Nest Affected by DoS via Recursive handleData in JsonSocket (TCP Transport)
Nest Affected by DoS via Recursive handleData in JsonSocket (TCP Transport)
### Impact
Attacker sends many small, valid JSON messages in one TCP frame
→ handleData() recurses once per message; buffer shrinks each call
→ maxBufferSize is never reached; call stack overflows instead
→ A ~47 KB payload is sufficient to trigger RangeError
### Patches
Fixed in `@nestjs/[email protected]`
### References
Discovered by https://github.com/hwpark6804-gif
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-40879 nest: Nest: Denial of Service via recursive JSON message handling [fedora-all]
bugzilla·2026-04-23·CVSS 7.5
CVE-2026-40879 [HIGH] CVE-2026-40879 nest: Nest: Denial of Service via recursive JSON message handling [fedora-all]
CVE-2026-40879 nest: Nest: Denial of Service via recursive JSON message handling [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
Thanks---nest in Fedora is not the node-js framework. It's the nest neural simulator: https://www.nest-simulator.org, so this bug is invalid. Closing.
Bugzilla
CVE-2026-40879 nest: Nest: Denial of Service via recursive JSON message handling
bugzilla·2026-04-21·CVSS 7.5
CVE-2026-40879 [HIGH] CVE-2026-40879 nest: Nest: Denial of Service via recursive JSON message handling
CVE-2026-40879 nest: Nest: Denial of Service via recursive JSON message handling
Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.19, when an attacker sends many small, valid JSON messages in one TCP frame, handleData() recurses once per message; the buffer shrinks each call. maxBufferSize is never reached; call stack overflows instead. A ~47 KB payload is sufficient to trigger RangeError. This vulnerability is fixed in 11.1.19.
2026-04-21
Published