Plattform
nodejs
Komponente
@nestjs/microservices
Behoben in
11.1.20
11.1.20
11.1.19
CVE-2026-40879 describes a Denial of Service (DoS) vulnerability discovered in the @nestjs/microservices Node.js package. An attacker can trigger this vulnerability by sending a large number of small, valid JSON messages within a single TCP frame, leading to a call stack overflow. This affects versions of @nestjs/microservices up to and including 11.1.18. A patch is available in version 11.1.19.
This vulnerability allows a remote attacker to cause a denial of service in applications utilizing @nestjs/microservices. The attack involves crafting a malicious payload consisting of numerous small, valid JSON messages bundled within a single TCP frame. The handleData() function recursively processes each message, shrinking the buffer with each call. Critically, the maxBufferSize is never reached, instead leading to a call stack overflow when a sufficiently large payload (approximately 47 KB) is sent. This effectively crashes the application, preventing legitimate users from accessing its services.
This vulnerability was discovered and reported by hwpark6804-gif on GitHub. As of the publication date (2026-04-14), there is no indication of active exploitation in the wild. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog.
Applications built with NestJS that utilize the @nestjs/microservices package and are running versions prior to 11.1.19 are at risk. This includes microservices architectures and applications relying on TCP-based communication for inter-service communication. Specifically, deployments with limited resources or those handling high volumes of incoming requests are more vulnerable.
• nodejs / server:
npm list @nestjs/microservices• nodejs / server:
ps aux | grep -i microservices | grep -i json• nodejs / server:
journalctl -u your-nestjs-app -f | grep -i RangeErrordisclosure
patch
Exploit-Status
EPSS
0.06% (17% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-40879 is to upgrade to @nestjs/microservices version 11.1.19 or later. If upgrading is not immediately feasible, consider implementing rate limiting on incoming TCP connections to prevent an attacker from sending a large volume of requests. Additionally, consider implementing input validation to ensure that incoming JSON messages adhere to expected size and structure. After upgrading, confirm the fix by sending a test payload similar to the described attack vector and verifying that the application does not crash.
Aktualisieren Sie auf Version 11.1.19 oder höher, um das Denial-of-Service-Risiko zu mindern. Diese Version behebt das Problem, indem sie übermäßige Rekursion in der Funktion handleData verhindert und so einen Call Stack Overflow verhindert.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-40879 is a Denial of Service vulnerability in the @nestjs/microservices Node.js package where sending many small JSON messages can cause a call stack overflow, leading to application crashes.
You are affected if you are using @nestjs/microservices versions 11.1.18 or earlier. Upgrade to 11.1.19 or later to resolve the vulnerability.
Upgrade the @nestjs/microservices package to version 11.1.19 or later. Consider rate limiting and input validation as temporary mitigations if upgrading is not immediately possible.
As of the publication date, there is no evidence of active exploitation in the wild, and no public proof-of-concept code is available.
Refer to the official NestJS documentation and release notes for details on the fix and any related advisories: https://nestjs.com/
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.