Nest.js DoS via Malformed JSON: CVE-2026-40879

/HIGH /CVSS 7.5/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-674
Nest.js DoS via Malformed JSON: CVE-2026-40879

The National Vulnerability Database has detailed CVE-2026-40879, a high-severity denial-of-service vulnerability affecting Nest.js, a popular Node.js framework. Prior to version 11.1.19, an attacker can trigger a call stack overflow by sending numerous small, valid JSON messages within a single TCP frame. The handleData() function’s recursive processing, shrinking the buffer with each call, bypasses maxBufferSize limits, leading to a RangeError.

A payload of approximately 47 KB is sufficient to exploit this flaw. The CVSSv3.1 score of 7.5 (High) reflects the complete availability impact (A:H) with no user interaction or privileges required (AV:N/AC:L/PR:N/UI:N). This is a straightforward remote DoS, making it a low-effort, high-impact attack for unpatched systems.

This vulnerability, categorized under CWE-674 (Uncontrolled Recursion), highlights a common pitfall in network application development: inadequate input validation combined with recursive processing. For defenders, this means a direct path to service disruption if your Nest.js applications are not updated. Attackers will prioritize targets with public-facing Nest.js endpoints, as the exploit is simple and effective.

What This Means For You

  • If your organization uses Nest.js for server-side applications, you are directly exposed to a remote denial-of-service attack via CVE-2026-40879. Patch immediately to version 11.1.19 or later. Audit your network perimeters for public-facing Nest.js instances and ensure they are updated to prevent service disruption.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1204.002 Malicious File Execution T1499 Vulnerability Exploitation Initial Access

🛡️ Detection Rules

6 rules · 6 SIEM formats

6 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

Web Application Exploitation Attempt — CVE-2026-40879

Sigma YAML — free preview
✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Export via Bot →

Indicators of Compromise

IDTypeIndicator
CVE-2026-40879 Vulnerability CVE-2026-40879

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 21, 2026 at 23:17 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related Posts

HKUDS OpenHarness Default Config Exposes Systems (CVE-2026-6823)

CVE-2026-6823 — HKUDS OpenHarness prior to PR #147 remediation contains an insecure default configuration vulnerability where remote channels inherit allow_from = ["*"] permitting arbitrary remote...

vulnerabilityCVEhigh-severitycwe-276
/SCW Vulnerability Desk /HIGH /8.2 /⚑ 3 IOCs /⚙ 3 Sigma

Critical AVideo XSS Vulnerability Exposes Admin Settings

CVE-2026-40925 — WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/configurationUpdate.json.php` (also routed via `/updateConfig`) persists dozens of global site...

vulnerabilityCVEhigh-severitycwe-352
/SCW Vulnerability Desk /HIGH /8.3 /⚑ 5 IOCs /⚙ 3 Sigma

Critical RCE in AVideo YPTSocket Plugin: Unauthenticated Account Takeover

CVE-2026-40911 — WWBN AVideo is an open source video platform. In versions 29.0 and prior, the YPTSocket plugin's WebSocket server relays attacker-supplied JSON message bodies...

vulnerabilityCVEcriticalhigh-severitycwe-94
/SCW Vulnerability Desk /CRITICAL /10 /⚑ 2 IOCs /⚙ 3 Sigma