{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35515", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-03T02:15:39.280Z", "datePublished": "2026-04-07T15:06:10.619Z", "dateUpdated": "2026-04-07T15:58:37.067Z"}, "containers": {"cna": {"title": "@nestjs/core Improperly Neutralizes Special Elements in Output Used by a Downstream Component ('Injection')", "problemTypes": [{"descriptions": [{"cweId": "CWE-74", "lang": "en", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/nestjs/nest/security/advisories/GHSA-36xv-jgw5-4q75", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nestjs/nest/security/advisories/GHSA-36xv-jgw5-4q75"}], "affected": [{"vendor": "nestjs", "product": "nest", "versions": [{"version": "< 11.1.18", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T15:06:10.619Z"}, "descriptions": [{"lang": "en", "value": "Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.18, SseStream._transform() interpolates message.type and message.id directly into Server-Sent Events text protocol output without sanitizing newline characters (\\r, \\n). Since the SSE protocol treats both \\r and \\n as field delimiters and \\n\\n as event boundaries, an attacker who can influence these fields through upstream data sources can inject arbitrary SSE events, spoof event types, and corrupt reconnection state. This vulnerability is fixed in 11.1.18."}], "source": {"advisory": "GHSA-36xv-jgw5-4q75", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T15:48:56.879859Z", "id": "CVE-2026-35515", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T15:58:37.067Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35515", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-07T15:48:56.879859Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T15:49:00.468Z"}}], "cna": {"title": "@nestjs/core Improperly Neutralizes Special Elements in Output Used by a Downstream Component ('Injection')", "source": {"advisory": "GHSA-36xv-jgw5-4q75", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "nestjs", "product": "nest", "versions": [{"status": "affected", "version": "< 11.1.18"}]}], "references": [{"url": "https://github.com/nestjs/nest/security/advisories/GHSA-36xv-jgw5-4q75", "name": "https://github.com/nestjs/nest/security/advisories/GHSA-36xv-jgw5-4q75", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.18, SseStream._transform() interpolates message.type and message.id directly into Server-Sent Events text protocol output without sanitizing newline characters (\\r, \\n). Since the SSE protocol treats both \\r and \\n as field delimiters and \\n\\n as event boundaries, an attacker who can influence these fields through upstream data sources can inject arbitrary SSE events, spoof event types, and corrupt reconnection state. This vulnerability is fixed in 11.1.18."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T15:06:10.619Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35515", "state": "PUBLISHED", "dateUpdated": "2026-04-07T15:58:37.067Z", "dateReserved": "2026-04-03T02:15:39.280Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T15:06:10.619Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.18, SseStream._transform() interpolates message.type and message.id directly into Server-Sent Events text protocol output without sanitizing newline characters (\\r, \\n). Since the SSE protocol treats both \\r and \\n as field delimiters and \\n\\n as event boundaries, an attacker who can influence these fields through upstream data sources can inject arbitrary SSE events, spoof event types, and corrupt reconnection state. This vulnerability is fixed in 11.1.18."}], "id": "CVE-2026-35515", "lastModified": "2026-04-08T21:27:00.663", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T16:16:27.773", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/nestjs/nest/security/advisories/GHSA-36xv-jgw5-4q75"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,11.1.18)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "nest", "source": "cna", "vendor": "nestjs"}, "product": "nest", "vendor": "nestjs"}], "analysis": {"en": {"generated_at": "2026-04-07T22:49:49.124136+00:00", "value": {"mitigation_remediation": ["Upgrade NestJS to version 11.1.18 or later.", "Validate or sanitize any user\u2011supplied data that populates message.type or message.id before passing it to SseStream._transform()."], "summary": {"action": "Patch", "impact": "Injection via Server\u2011Sent Events"}, "threat_synthesis": {"affected_systems": "This issue affects the NestJS framework (nestjs:nest) in all releases prior to 11.1.18. Version 11.1.18 and later contain a patch that sanitizes the relevant fields, eliminating the injection vector.", "description_and_impact": "The vulnerability stems from an omission of sanitization in the SSE output handling of NestJS\u2019s SseStream._transform() method. Newline characters \r and \n are introduced directly from message.type and message.id fields into the Server\u2011Sent Events protocol stream. Because the SSE specification interprets these characters as delimiters and \n\n as event boundaries, an attacker who can control these fields can inject whole SSE events, manipulate event types, and corrupt the client\u2019s reconnection logic. This leads to arbitrary event injection and potential disruption of application state, representing an injection flaw (CWE\u201174).", "risk_and_exploitability": "The vulnerability has a CVSS score of 6.3, indicating a moderate severity. EPSS is not available, and it is not listed in the CISA KEV catalog, suggesting no widely known exploits at present. The attack requires an attacker who can influence the message.type or message.id values supplied to SSE streams, which may be achievable through upstream data sources. If exploited, an attacker could deliver malicious SSE events to clients, corrupt reconnection sequences, and potentially manipulate client\u2010side application logic. Overall, the risk is moderate, but it should be mitigated promptly to prevent future exploitation."}}}}, "created": "2026-04-08T19:37:14.047437+00:00", "updated": "2026-04-08T19:48:29.702341+00:00", "vendors": ["nestjs", "nestjs$PRODUCT$nest"]}