CVE-2026-35515: CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in nestjs nest
Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.18, SseStream._transform() interpolates message.type and message.id directly into Server-Sent Events text protocol output without sanitizing newline characters (\r, \n). Since the SSE protocol treats both \r and \n as field delimiters and \n\n as event boundaries, an attacker who can influence these fields through upstream data sources can inject arbitrary SSE events, spoof event types, and corrupt reconnection state. This vulnerability is fixed in 11.1.18.
AI Analysis
Technical Summary
NestJS versions before 11.1.18 contain an injection vulnerability (CWE-74) in the SseStream._transform() function. This function outputs Server-Sent Events text protocol data by directly embedding message.type and message.id without sanitizing newline characters (\r, \n). Because the SSE protocol uses these characters as delimiters and event boundaries, an attacker able to influence these fields can inject arbitrary SSE events, spoof event types, and corrupt client reconnection states. This vulnerability is addressed in version 11.1.18 of NestJS.
Potential Impact
An attacker who can influence the message.type or message.id fields in SSE streams can inject arbitrary SSE events. This may lead to spoofed event types and corrupted reconnection states in clients consuming the SSE stream. The vulnerability does not require privileges or user interaction but does require the ability to control upstream data. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade NestJS to version 11.1.18 or later, where this vulnerability is fixed. Since the vendor advisory indicates the issue is resolved in 11.1.18, applying this official fix is the recommended remediation. No additional mitigations are specified.
CVE-2026-35515: CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in nestjs nest
Description
Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.18, SseStream._transform() interpolates message.type and message.id directly into Server-Sent Events text protocol output without sanitizing newline characters (\r, \n). Since the SSE protocol treats both \r and \n as field delimiters and \n\n as event boundaries, an attacker who can influence these fields through upstream data sources can inject arbitrary SSE events, spoof event types, and corrupt reconnection state. This vulnerability is fixed in 11.1.18.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
NestJS versions before 11.1.18 contain an injection vulnerability (CWE-74) in the SseStream._transform() function. This function outputs Server-Sent Events text protocol data by directly embedding message.type and message.id without sanitizing newline characters (\r, \n). Because the SSE protocol uses these characters as delimiters and event boundaries, an attacker able to influence these fields can inject arbitrary SSE events, spoof event types, and corrupt client reconnection states. This vulnerability is addressed in version 11.1.18 of NestJS.
Potential Impact
An attacker who can influence the message.type or message.id fields in SSE streams can inject arbitrary SSE events. This may lead to spoofed event types and corrupted reconnection states in clients consuming the SSE stream. The vulnerability does not require privileges or user interaction but does require the ability to control upstream data. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade NestJS to version 11.1.18 or later, where this vulnerability is fixed. Since the vendor advisory indicates the issue is resolved in 11.1.18, applying this official fix is the recommended remediation. No additional mitigations are specified.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-03T02:15:39.280Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d52344aaed68159a2ec61b
Added to database: 4/7/2026, 3:31:16 PM
Last enriched: 4/7/2026, 3:48:02 PM
Last updated: 4/8/2026, 12:07:19 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.