{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35515", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-03T02:15:39.280Z", "datePublished": "2026-04-07T15:06:10.619Z", "dateUpdated": "2026-04-07T15:58:37.067Z"}, "containers": {"cna": {"title": "@nestjs/core Improperly Neutralizes Special Elements in Output Used by a Downstream Component ('Injection')", "problemTypes": [{"descriptions": [{"cweId": "CWE-74", "lang": "en", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/nestjs/nest/security/advisories/GHSA-36xv-jgw5-4q75", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nestjs/nest/security/advisories/GHSA-36xv-jgw5-4q75"}], "affected": [{"vendor": "nestjs", "product": "nest", "versions": [{"version": "< 11.1.18", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T15:06:10.619Z"}, "descriptions": [{"lang": "en", "value": "Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.18, SseStream._transform() interpolates message.type and message.id directly into Server-Sent Events text protocol output without sanitizing newline characters (\\r, \\n). Since the SSE protocol treats both \\r and \\n as field delimiters and \\n\\n as event boundaries, an attacker who can influence these fields through upstream data sources can inject arbitrary SSE events, spoof event types, and corrupt reconnection state. This vulnerability is fixed in 11.1.18."}], "source": {"advisory": "GHSA-36xv-jgw5-4q75", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T15:48:56.879859Z", "id": "CVE-2026-35515", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T15:58:37.067Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35515", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-07T15:48:56.879859Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T15:49:00.468Z"}}], "cna": {"title": "@nestjs/core Improperly Neutralizes Special Elements in Output Used by a Downstream Component ('Injection')", "source": {"advisory": "GHSA-36xv-jgw5-4q75", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "nestjs", "product": "nest", "versions": [{"status": "affected", "version": "< 11.1.18"}]}], "references": [{"url": "https://github.com/nestjs/nest/security/advisories/GHSA-36xv-jgw5-4q75", "name": "https://github.com/nestjs/nest/security/advisories/GHSA-36xv-jgw5-4q75", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.18, SseStream._transform() interpolates message.type and message.id directly into Server-Sent Events text protocol output without sanitizing newline characters (\\r, \\n). Since the SSE protocol treats both \\r and \\n as field delimiters and \\n\\n as event boundaries, an attacker who can influence these fields through upstream data sources can inject arbitrary SSE events, spoof event types, and corrupt reconnection state. This vulnerability is fixed in 11.1.18."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T15:06:10.619Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35515", "state": "PUBLISHED", "dateUpdated": "2026-04-07T15:58:37.067Z", "dateReserved": "2026-04-03T02:15:39.280Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T15:06:10.619Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nestjs:nest:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "56CE7D95-5F6B-4065-B105-4B5C36682291", "versionEndExcluding": "11.1.18", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.18, SseStream._transform() interpolates message.type and message.id directly into Server-Sent Events text protocol output without sanitizing newline characters (\\r, \\n). Since the SSE protocol treats both \\r and \\n as field delimiters and \\n\\n as event boundaries, an attacker who can influence these fields through upstream data sources can inject arbitrary SSE events, spoof event types, and corrupt reconnection state. This vulnerability is fixed in 11.1.18."}], "id": "CVE-2026-35515", "lastModified": "2026-04-17T20:36:10.247", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T16:16:27.773", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/nestjs/nest/security/advisories/GHSA-36xv-jgw5-4q75"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "@nestjs/core: Nest: Server-Sent Events (SSE) injection and spoofing via unsanitized newline characters", "id": "2455993", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455993"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "status": "draft"}, "cwe": "CWE-93", "details": ["A flaw was found in Nest, a framework for building Node.js server-side applications. An attacker can exploit a vulnerability in the `SseStream._transform()` function by injecting newline characters into `message.type` and `message.id` fields. This allows the attacker to inject arbitrary Server-Sent Events (SSE), spoof event types, and corrupt the reconnection state, potentially leading to unexpected application behavior or denial of service."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-35515", "package_state": [{"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Fix deferred", "package_name": "rhdh/backstage-community-plugin-catalog-backend-module-scaffolder-relation-processor", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/art-images", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-04-07T15:06:10Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-35515\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-35515\nhttps://github.com/nestjs/nest/security/advisories/GHSA-36xv-jgw5-4q75"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,11.1.18)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "nest", "source": "cna", "vendor": "nestjs"}, "product": "nest", "vendor": "nestjs"}], "analysis": {"en": {"generated_at": "2026-04-09T01:23:51.899127+00:00", "value": {"mitigation_remediation": ["Upgrade the NestJS framework to version 11.1.18 or later.", "Verify that all dependent packages are updated in accordance with the new framework version.", "After upgrading, restart all services that depend on the NestJS framework to ensure the patch is applied."], "summary": {"action": "Immediate Patch", "impact": "Event Injection, Potential Data Manipulation"}, "threat_synthesis": {"affected_systems": "NestJS framework versions prior to 11.1.18 are affected. The vulnerability was discovered in the nestjs:nest product. Any application using these versions without applying the 11.1.18 update or higher is vulnerable.", "description_and_impact": "NestJS interpolates message.type and message.id directly into Server-Sent Events text protocol output without stripping newline characters. The SSE protocol interprets carriage return and line feed as field delimiters and consecutive line feeds as event boundaries. An attacker who can influence these fields can therefore inject arbitrary SSE events, spoof event types, and corrupt the reconnection state sent to downstream clients. This exploit allows the attacker to send malicious event data to browsers or other consumers of the stream, potentially leading to data manipulation or unintended application behavior.", "risk_and_exploitability": "The CVSS score of 6.3 indicates moderate severity. The EPSS score of less than one percent suggests a low likelihood of exploitation in the wild, and the vulnerability is not listed in CISA\u2019s Known Exploited Vulnerabilities catalog. The attack requires an attacker to inject newline characters via the message.type or message.id fields, implying that the threat vector is upstream data manipulation, such as through a crafted request or injected content in the message pipeline. When successful, the attacker can inject custom SSE events and potentially undermine client trust or cause unintended data flow."}}}}, "created": "2026-04-08T19:37:14.047437+00:00", "updated": "2026-04-09T08:28:45.024257+00:00", "vendors": ["nestjs", "nestjs$PRODUCT$nest"]}