Platform
nodejs
Component
@nestjs/microservices
Fixed in
11.1.20
11.1.20
11.1.19
CVE-2026-40879 describes a Denial of Service (DoS) vulnerability discovered in the @nestjs/microservices Node.js package. An attacker can trigger this vulnerability by sending a large number of small, valid JSON messages within a single TCP frame, leading to a call stack overflow. This affects versions of @nestjs/microservices up to and including 11.1.18. A patch is available in version 11.1.19.
This vulnerability allows a remote attacker to cause a denial of service in applications utilizing @nestjs/microservices. The attack involves crafting a malicious TCP frame containing numerous small, valid JSON messages. The handleData() function within the package recursively processes each message, shrinking the buffer with each call. Critically, the maxBufferSize is never reached, preventing a typical buffer overflow. Instead, the repeated recursive calls exhaust the call stack, resulting in a RangeError and effectively crashing the application. A relatively small payload of approximately 47 KB is sufficient to trigger this condition, making it a practical attack vector.
This vulnerability was discovered and reported by hwpark6804-gif on GitHub. As of the publication date (2026-04-14), there is no indication of active exploitation in the wild. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.06% (17% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-40879 is to upgrade to @nestjs/microservices version 11.1.19 or later. If upgrading is not immediately feasible, consider implementing rate limiting on incoming TCP connections to prevent an attacker from sending a large volume of messages. Additionally, consider implementing stricter input validation to ensure that incoming JSON messages adhere to expected size and structure constraints. While not a direct fix, these measures can reduce the attack surface. After upgrading, confirm the fix by sending a large number of small JSON messages via TCP and verifying that the application does not crash or exhibit excessive resource consumption.
Update to version 11.1.19 or higher to mitigate the risk of denial of service. This version fixes the issue by preventing excessive recursion in the handleData function, thus preventing the call stack overflow.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40879 is a Denial of Service vulnerability in the @nestjs/microservices Node.js package where sending many small JSON messages can cause a call stack overflow, leading to application crashes.
You are affected if you are using @nestjs/microservices versions 11.1.18 or earlier. Upgrade to 11.1.19 or later to resolve the vulnerability.
Upgrade the @nestjs/microservices package to version 11.1.19 or later. Consider rate limiting and input validation as temporary mitigations if upgrading is not immediately possible.
As of the publication date, there is no evidence of active exploitation in the wild, and no public proof-of-concept code is available.
Refer to the official NestJS documentation and release notes for details on the fix and any related advisories: https://nestjs.com/
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.