{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-40879/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-40879"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["denial-of-service","nestjs","recursion","cve-2026-40879","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eNestJS, a Node.js framework for server-side applications, is vulnerable to an uncontrolled recursion issue. Prior to version 11.1.19, a malicious actor could exploit CVE-2026-40879 by sending a crafted TCP frame containing numerous small, valid JSON messages to a vulnerable NestJS application. The \u003ccode\u003ehandleData()\u003c/code\u003e function recursively processes each message, causing the buffer to shrink with each call. This bypasses the \u003ccode\u003emaxBufferSize\u003c/code\u003e limit and leads to a call stack overflow. A payload as small as 47 KB is sufficient to trigger a \u003ccode\u003eRangeError\u003c/code\u003e and crash the application. This vulnerability allows for a denial-of-service attack. The vulnerability has been patched in NestJS version 11.1.19.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a NestJS application running a version prior to 11.1.19.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a TCP packet containing multiple small, valid JSON messages.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted TCP packet to the vulnerable NestJS application.\u003c/li\u003e\n\u003cli\u003eThe NestJS application\u0026rsquo;s \u003ccode\u003ehandleData()\u003c/code\u003e function receives the TCP packet.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ehandleData()\u003c/code\u003e function recursively processes each JSON message in the packet.\u003c/li\u003e\n\u003cli\u003eWith each recursive call, the buffer shrinks.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003emaxBufferSize\u003c/code\u003e is never reached because of the stack overflow.\u003c/li\u003e\n\u003cli\u003eThe call stack overflows, leading to a \u003ccode\u003eRangeError\u003c/code\u003e and application crash, resulting in a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40879 leads to a denial-of-service condition. A single attacker can potentially bring down a vulnerable NestJS application with a relatively small payload of approximately 47KB. This can impact businesses relying on the affected NestJS application, leading to service disruptions and potential data loss. The vulnerability affects any application using NestJS versions before 11.1.19, making a large number of applications potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade all NestJS applications to version 11.1.19 or later to patch CVE-2026-40879.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious NestJS TCP Payload\u003c/code\u003e to identify potentially malicious TCP traffic targeting NestJS applications.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for large TCP packets containing many small JSON messages, which may indicate an attempted exploit.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T12:00:00Z","date_published":"2026-04-22T12:00:00Z","id":"/briefs/2026-04-nest-recursion-dos/","summary":"NestJS versions before 11.1.19 are susceptible to an uncontrolled recursion vulnerability (CVE-2026-40879) where sending many small JSON messages in a single TCP frame triggers a call stack overflow, resulting in a denial-of-service condition.","title":"NestJS Uncontrolled Recursion Denial-of-Service Vulnerability (CVE-2026-40879)","url":"https://feed.craftedsignal.io/briefs/2026-04-nest-recursion-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-40879","version":"https://jsonfeed.org/version/1.1"}