CVE-2026-40879
Stack Overflow in Nest Framework handleData() via Crafted JSON Payloads
Publication date: 2026-04-21
Last updated on: 2026-04-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nestjs | nest | to 11.1.19 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-674 | The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
The immediate and most effective mitigation is to upgrade the `@nestjs/microservices` package to version 11.1.19 or later, where the vulnerability has been fixed.
Until the upgrade can be applied, consider implementing network-level protections such as rate limiting or filtering to block or limit TCP frames containing multiple small JSON messages that could trigger the recursive overflow.
Monitoring and alerting on application crashes or `RangeError` exceptions related to stack overflow can also help in early detection and response.
Can you explain this vulnerability to me?
CVE-2026-40879 is a high-severity denial-of-service (DoS) vulnerability in the @nestjs/microservices npm package, affecting versions up to 11.1.18. The issue occurs in the JsonSocket TCP transport implementation, specifically in the handleData() function that processes incoming JSON messages.
An attacker can exploit this vulnerability by sending many small, valid JSON messages bundled within a single TCP frame. Each message causes handleData() to recurse once. Because the buffer shrinks with each recursive call, the maximum buffer size limit is never reached, preventing normal termination. Instead, recursion continues until the call stack overflows, triggering a RangeError.
A payload of approximately 47 KB is sufficient to cause this stack overflow. This vulnerability was fixed in version 11.1.19 by properly handling the buffer and recursion in handleData().
How can this vulnerability impact me? :
This vulnerability can cause a denial-of-service (DoS) condition by crashing the application due to a stack overflow triggered by recursive calls in the handleData() function.
An attacker can remotely exploit this vulnerability without any privileges or user interaction by sending specially crafted TCP frames containing multiple small JSON messages.
The impact is high on availability, as the service can be disrupted or become unresponsive, but there is no impact on confidentiality or integrity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusual or excessive recursive calls in the `handleData()` function of the `@nestjs/microservices` package, specifically when processing TCP frames containing multiple small JSON messages.
Network detection could involve capturing TCP traffic to the affected service and analyzing for frames that contain many small valid JSON messages bundled together, which may indicate an attempt to trigger the stack overflow.
While no specific commands are provided in the resources, general approaches include using network packet capture tools like `tcpdump` or `Wireshark` to inspect TCP frames for suspicious payloads, and application-level logging to detect `RangeError` exceptions or service crashes related to stack overflow.
- Use `tcpdump` to capture TCP traffic on the relevant port: `tcpdump -i <interface> tcp port <port_number> -w capture.pcap`
- Analyze captured traffic with Wireshark to identify TCP frames containing multiple small JSON messages.
- Check application logs for `RangeError` exceptions or crashes related to stack overflow in the `handleData()` function.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability is a denial-of-service (DoS) issue that affects the availability of services using the affected NestJS microservices package. It does not impact confidentiality or integrity of data.
Since the vulnerability does not lead to unauthorized access, data leakage, or data modification, it does not directly affect compliance with data protection standards such as GDPR or HIPAA, which primarily focus on confidentiality and integrity of personal or sensitive data.
However, the high availability impact could indirectly affect compliance if service disruptions prevent timely access to data or services required by these regulations.