CVE-2026-40879: CWE-674: Uncontrolled Recursion in nestjs nest
Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.19, when an attacker sends many small, valid JSON messages in one TCP frame, handleData() recurses once per message; the buffer shrinks each call. maxBufferSize is never reached; call stack overflows instead. A ~47 KB payload is sufficient to trigger RangeError. This vulnerability is fixed in 11.1.19.
AI Analysis
Technical Summary
NestJS versions before 11.1.19 contain a vulnerability (CWE-674) where the handleData() function recursively processes each small JSON message in a TCP frame. Because the buffer shrinks with each recursive call, the maxBufferSize limit is never reached, but the call stack overflows instead. This leads to a RangeError triggered by a crafted payload of about 47 KB. The vulnerability results in denial of service by crashing the application. No known exploits are reported in the wild. The issue is resolved in NestJS 11.1.19.
Potential Impact
The vulnerability causes a denial of service by crashing the NestJS application due to call stack overflow when processing multiple small JSON messages in one TCP frame. There is no impact on confidentiality or integrity. The CVSS v3.1 score is 7.5 (high), reflecting the network attack vector, no privileges required, no user interaction, and impact limited to availability.
Mitigation Recommendations
Upgrade NestJS to version 11.1.19 or later, where this vulnerability is fixed. Since the vendor advisory indicates the issue is resolved in 11.1.19, applying this official fix is the recommended remediation. Patch status is confirmed by the vendor advisory stating the fix is included in version 11.1.19.
CVE-2026-40879: CWE-674: Uncontrolled Recursion in nestjs nest
Description
Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.19, when an attacker sends many small, valid JSON messages in one TCP frame, handleData() recurses once per message; the buffer shrinks each call. maxBufferSize is never reached; call stack overflows instead. A ~47 KB payload is sufficient to trigger RangeError. This vulnerability is fixed in 11.1.19.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
NestJS versions before 11.1.19 contain a vulnerability (CWE-674) where the handleData() function recursively processes each small JSON message in a TCP frame. Because the buffer shrinks with each recursive call, the maxBufferSize limit is never reached, but the call stack overflows instead. This leads to a RangeError triggered by a crafted payload of about 47 KB. The vulnerability results in denial of service by crashing the application. No known exploits are reported in the wild. The issue is resolved in NestJS 11.1.19.
Potential Impact
The vulnerability causes a denial of service by crashing the NestJS application due to call stack overflow when processing multiple small JSON messages in one TCP frame. There is no impact on confidentiality or integrity. The CVSS v3.1 score is 7.5 (high), reflecting the network attack vector, no privileges required, no user interaction, and impact limited to availability.
Mitigation Recommendations
Upgrade NestJS to version 11.1.19 or later, where this vulnerability is fixed. Since the vendor advisory indicates the issue is resolved in 11.1.19, applying this official fix is the recommended remediation. Patch status is confirmed by the vendor advisory stating the fix is included in version 11.1.19.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-15T15:57:41.719Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e7d08919fe3cd2cdf3fb25
Added to database: 4/21/2026, 7:31:21 PM
Last enriched: 4/21/2026, 7:46:21 PM
Last updated: 4/21/2026, 9:53:49 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.