CVE-2026-35515: CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in nestjs nest
A vulnerability in the NestJS framework prior to version 11. 1. 18 allows improper neutralization of newline characters in Server-Sent Events (SSE) output. Specifically, the SseStream. _transform() method interpolates message. type and message. id directly into SSE text output without sanitizing carriage return and newline characters. This can enable an attacker who controls these fields to inject arbitrary SSE events, spoof event types, and disrupt reconnection state. The issue is fixed in version 11. 1.
AI Analysis
Technical Summary
CVE-2026-35515 is an injection vulnerability (CWE-74) in the NestJS framework's SSE implementation. Before version 11.1.18, the SseStream._transform() function does not sanitize newline characters in message.type and message.id fields before embedding them into the Server-Sent Events protocol output. Since the SSE protocol uses \r and \n as delimiters and \n\n as event boundaries, unsanitized input can lead to injection of arbitrary SSE events, event type spoofing, and corruption of reconnection state. This vulnerability has a CVSS 4.0 score of 6.3 (medium severity) and was publicly disclosed on April 7, 2026. The vulnerability is addressed by updating to NestJS version 11.1.18 or later.
Potential Impact
An attacker able to influence message.type or message.id fields can inject arbitrary SSE events, potentially spoofing event types and corrupting the reconnection state of SSE clients. This could disrupt application behavior relying on SSE streams. The vulnerability does not require privileges or user interaction but does require the ability to control upstream data that populates these fields.
Mitigation Recommendations
This vulnerability is fixed in NestJS version 11.1.18. Users should upgrade to version 11.1.18 or later to remediate this issue. No other official remediation or temporary fixes are documented. Patch status is not explicitly stated beyond the fix in 11.1.18, so users should verify with the vendor advisory or release notes for confirmation.
CVE-2026-35515: CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in nestjs nest
Description
A vulnerability in the NestJS framework prior to version 11. 1. 18 allows improper neutralization of newline characters in Server-Sent Events (SSE) output. Specifically, the SseStream. _transform() method interpolates message. type and message. id directly into SSE text output without sanitizing carriage return and newline characters. This can enable an attacker who controls these fields to inject arbitrary SSE events, spoof event types, and disrupt reconnection state. The issue is fixed in version 11. 1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-35515 is an injection vulnerability (CWE-74) in the NestJS framework's SSE implementation. Before version 11.1.18, the SseStream._transform() function does not sanitize newline characters in message.type and message.id fields before embedding them into the Server-Sent Events protocol output. Since the SSE protocol uses \r and \n as delimiters and \n\n as event boundaries, unsanitized input can lead to injection of arbitrary SSE events, event type spoofing, and corruption of reconnection state. This vulnerability has a CVSS 4.0 score of 6.3 (medium severity) and was publicly disclosed on April 7, 2026. The vulnerability is addressed by updating to NestJS version 11.1.18 or later.
Potential Impact
An attacker able to influence message.type or message.id fields can inject arbitrary SSE events, potentially spoofing event types and corrupting the reconnection state of SSE clients. This could disrupt application behavior relying on SSE streams. The vulnerability does not require privileges or user interaction but does require the ability to control upstream data that populates these fields.
Mitigation Recommendations
This vulnerability is fixed in NestJS version 11.1.18. Users should upgrade to version 11.1.18 or later to remediate this issue. No other official remediation or temporary fixes are documented. Patch status is not explicitly stated beyond the fix in 11.1.18, so users should verify with the vendor advisory or release notes for confirmation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-03T02:15:39.280Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d52344aaed68159a2ec61b
Added to database: 4/7/2026, 3:31:16 PM
Last enriched: 4/14/2026, 3:58:51 PM
Last updated: 5/22/2026, 4:30:36 PM
Views: 85
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.