CVE-2026-35515
SSE Injection in Nest.js SseStream Causes Event Spoofing
Publication date: 2026-04-07
Last updated on: 2026-04-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nestjs | nest | to 11.1.18 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can impact you in several ways if exploited:
- Event spoofing: An attacker can forge SSE events with arbitrary event types, causing client-side event listeners to trigger incorrectly.
- Data injection: Arbitrary data payloads can be injected, potentially leading to cross-site scripting (XSS) if the client renders SSE data as HTML without proper sanitization.
- Reconnection corruption: Injected id fields can corrupt the Last-Event-ID header during reconnection, causing clients to miss or replay events.
Exploitation requires that developers map user-influenced data to the SSE message type or id fields; direct HTTP request input does not reach these fields without developer intervention.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to inject arbitrary Server-Sent Events (SSE), spoof event types, and corrupt reconnection states by exploiting unsanitized newline characters in message.type and message.id fields. This can lead to data injection attacks, including potential cross-site scripting (XSS) if the client renders SSE data as HTML without proper sanitization.
Such injection and spoofing vulnerabilities can undermine data integrity and confidentiality, which are critical aspects of compliance with standards like GDPR and HIPAA. If exploited, this vulnerability could lead to unauthorized data manipulation or exposure, potentially violating these regulations' requirements for protecting personal and sensitive information.
However, exploitation requires that developers map user-influenced data to the SSE message type or id fields, meaning the risk depends on specific application implementations.
Can you explain this vulnerability to me?
The vulnerability exists in the Nest framework's SseStream._transform() method prior to version 11.1.18. It occurs because the method directly inserts the message.type and message.id fields into the Server-Sent Events (SSE) text protocol output without sanitizing newline characters (\r, \n).
Since the SSE protocol uses these newline characters as field delimiters and event boundaries, an attacker who can influence these fields through upstream data sources can inject arbitrary SSE events. This allows the attacker to spoof event types, inject arbitrary data payloads, and corrupt the reconnection state.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs when user-influenced data is mapped to the SSE message type or id fields without sanitization, allowing injection of arbitrary Server-Sent Events. Detection involves identifying if your application uses @nestjs/core versions up to 11.1.17 and if it processes SSE streams with unsanitized message.type or message.id fields.
To detect exploitation attempts on your system or network, you can monitor SSE traffic for unusual or malformed event types or IDs containing newline characters (\r, \n) which are not normally expected.
Suggested commands include using network traffic inspection tools like tcpdump or Wireshark to capture SSE traffic and grep or similar tools to search for suspicious newline characters in event fields.
- Capture SSE traffic on port 80 or 443 (or your application port): tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
- Filter captured traffic for SSE event fields containing newline characters: grep -P '\r|\n' captured_traffic.log
- Check your package version: npm list @nestjs/core
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the @nestjs/core package to version 11.1.18 or later, where the vulnerability has been fixed by sanitizing the message.type and message.id fields in the SSE stream.
Additionally, review your application code to ensure that user-influenced data is not directly mapped to SSE message type or id fields without proper sanitization.
If immediate upgrade is not possible, implement input validation or sanitization on the upstream data sources that influence these SSE fields to prevent injection of newline characters.