Security Advisory

CVE-2026-40879

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2026-04-21 19:14:17

Last updated 2026-04-21 19:38:04

Assigner GitHub_M

State PUBLISHED

Description

Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.19, when an attacker sends many small, valid JSON messages in one TCP frame, handleData() recurses once per message; the buffer shrinks each call. maxBufferSize is never reached; call stack overflows instead. A ~47 KB payload is sufficient to trigger RangeError. This vulnerability is fixed in 11.1.19.

← Browse all CVEs View on cve.org ↗