Impact Analysis

This vulnerability can impact you in several ways if exploited:

• Event spoofing: An attacker can forge SSE events with arbitrary event types, causing client-side event listeners to trigger incorrectly.
• Data injection: Arbitrary data payloads can be injected, potentially leading to cross-site scripting (XSS) if the client renders SSE data as HTML without proper sanitization.
• Reconnection corruption: Injected id fields can corrupt the Last-Event-ID header during reconnection, causing clients to miss or replay events.

Exploitation requires that developers map user-influenced data to the SSE message type or id fields; direct HTTP request input does not reach these fields without developer intervention.

Useful 0 Not Useful 0

Executive Summary

The vulnerability exists in the Nest framework's SseStream._transform() method prior to version 11.1.18. It occurs because the method directly inserts the message.type and message.id fields into the Server-Sent Events (SSE) text protocol output without sanitizing newline characters (\r, \n).

Since the SSE protocol uses these newline characters as field delimiters and event boundaries, an attacker who can influence these fields through upstream data sources can inject arbitrary SSE events. This allows the attacker to spoof event types, inject arbitrary data payloads, and corrupt the reconnection state.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability occurs when user-influenced data is mapped to the SSE message type or id fields without sanitization, allowing injection of arbitrary Server-Sent Events. Detection involves identifying if your application uses @nestjs/core versions up to 11.1.17 and if it processes SSE streams with unsanitized message.type or message.id fields.

To detect exploitation attempts on your system or network, you can monitor SSE traffic for unusual or malformed event types or IDs containing newline characters (\r, \n) which are not normally expected.

Suggested commands include using network traffic inspection tools like tcpdump or Wireshark to capture SSE traffic and grep or similar tools to search for suspicious newline characters in event fields.

• Capture SSE traffic on port 80 or 443 (or your application port): tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
• Filter captured traffic for SSE event fields containing newline characters: grep -P '\r|\n' captured_traffic.log
• Check your package version: npm list @nestjs/core

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade the @nestjs/core package to version 11.1.18 or later, where the vulnerability has been fixed by sanitizing the message.type and message.id fields in the SSE stream.

Additionally, review your application code to ensure that user-influenced data is not directly mapped to SSE message type or id fields without proper sanitization.

If immediate upgrade is not possible, implement input validation or sanitization on the upstream data sources that influence these SSE fields to prevent injection of newline characters.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an attacker to inject arbitrary Server-Sent Events (SSE), spoof event types, and corrupt reconnection states by exploiting unsanitized newline characters in message.type and message.id fields. This can lead to data injection attacks, including potential cross-site scripting (XSS) if the client renders SSE data as HTML without proper sanitization.

Such injection and spoofing vulnerabilities can undermine data integrity and confidentiality, which are critical aspects of compliance with standards like GDPR and HIPAA. If exploited, this vulnerability could lead to unauthorized data manipulation or exposure, potentially violating these regulations' requirements for protecting personal and sensitive information.

However, exploitation requires that developers map user-influenced data to the SSE message type or id fields, meaning the risk depends on specific application implementations.

Useful 0 Not Useful 0