CVE-2026-35515— @nestjs/core Improperly Neutralizes Special Elements in Output Used by a Downstream Component ('Injection')

@nestjs/core Improperly Neutralizes Special Elements in Output Used by a Downstream Component ('Injection')

Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.18, SseStream._transform() interpolates message.type and message.id directly into Server-Sent Events text protocol output without sanitizing newline characters (\r, \n). Since the SSE protocol treats both \r and \n as field delimiters and \n\n as event boundaries, an attacker who can influence these fields through upstream data sources can inject arbitrary SSE events, spoof event types, and corrupt reconnection state. This vulnerability is fixed in 11.1.18.

N/A

输出中的特殊元素转义处理不恰当(注入)

nest 注入漏洞

nest是nestjs开源的一个 Node.js 框架，用于使用 TypeScript/JavaScript 构建高效、可扩展和企业级的服务器端应用程序。 Nest 11.1.18之前版本存在注入漏洞，该漏洞源于SseStream._transform函数将message.type和message.id直接插入服务器发送事件文本协议输出中，而未对换行符进行清理，可能导致能够通过上游数据源影响这些字段的攻击者注入任意SSE事件、伪造事件类型并破坏重连状态。

N/A

N/A