https://feed.craftedsignal.io/tags/recursion/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 23 Apr 2026 12:00:00 +0000https://feed.craftedsignal.io/briefs/2026-04-xmldom-dos/Thu, 23 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-xmldom-dos/The xmldom library is vulnerable to a denial-of-service (DoS) attack due to uncontrolled recursion in XML serialization leading to application crashes.The xmldom library is susceptible to a denial-of-service (DoS) vulnerability due to uncontrolled recursion in XML serialization. Seven recursive traversals within lib/dom.js lack depth limits, causing a RangeError: Maximum call stack size exceeded and crashing the application when processing deeply nested XML documents. Publicly disclosed on 2026-04-06, the vulnerability impacts multiple functions, including normalize(), XMLSerializer.serializeToString(), and others related to DOM manipulation. This issue arises from the library’s pure-JavaScript recursive implementation of DOM operations, which exhausts the call stack. Exploitation requires no authentication or special options, affecting applications that process attacker-controlled XML using vulnerable xmldom versions ( < 0.8.13, >= 0.9.0 and < 0.9.10, and <= 0.6.0).

Attack Chain

1. An attacker crafts a malicious XML document with deeply nested elements.
2. The vulnerable application receives and parses the crafted XML document using DOMParser.parseFromString().
3. The application subsequently calls one of the affected DOM operations, such as normalize(), serializeToString(), getElementsByTagName(), or cloneNode(true).
4. The affected function initiates a recursive traversal of the deeply nested XML structure within lib/dom.js.
5. Each level of nesting consumes a JavaScript call stack frame.
6. The recursive calls continue until the JavaScript engine’s call stack is exhausted.
7. A RangeError: Maximum call stack size exceeded exception is thrown.
8. The application crashes due to the uncaught exception, leading to a denial of service.

Impact

Successful exploitation results in a denial-of-service condition. Any service parsing attacker-controlled XML with a vulnerable version of xmldom can be crashed by a single crafted payload. This can lead to failed request processing. In deployments where uncaught exceptions terminate the worker or process, the impact can extend beyond a single request and disrupt service availability more broadly. Tests show that stack exhaustion occurs with nesting depths between 5,000 and 10,000 levels depending on the operation.

Recommendation

• Upgrade @xmldom/xmldom to version >= 0.8.13 or >= 0.9.10 to remediate CVE-2026-41673.
• If upgrading is not immediately feasible, consider implementing input validation to limit the nesting depth of XML documents processed by applications using xmldom.
• Monitor application logs for RangeError: Maximum call stack size exceeded exceptions originating from lib/dom.js, which could indicate exploitation attempts.

]]>mediumadvisorydosxmldomrecursionjavascripthttps://feed.craftedsignal.io/briefs/2026-04-nest-recursion-dos/Wed, 22 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-nest-recursion-dos/NestJS versions before 11.1.19 are susceptible to an uncontrolled recursion vulnerability (CVE-2026-40879) where sending many small JSON messages in a single TCP frame triggers a call stack overflow, resulting in a denial-of-service condition.NestJS, a Node.js framework for server-side applications, is vulnerable to an uncontrolled recursion issue. Prior to version 11.1.19, a malicious actor could exploit CVE-2026-40879 by sending a crafted TCP frame containing numerous small, valid JSON messages to a vulnerable NestJS application. The handleData() function recursively processes each message, causing the buffer to shrink with each call. This bypasses the maxBufferSize limit and leads to a call stack overflow. A payload as small as 47 KB is sufficient to trigger a RangeError and crash the application. This vulnerability allows for a denial-of-service attack. The vulnerability has been patched in NestJS version 11.1.19.

Attack Chain

1. An attacker identifies a NestJS application running a version prior to 11.1.19.
2. The attacker crafts a TCP packet containing multiple small, valid JSON messages.
3. The attacker sends the crafted TCP packet to the vulnerable NestJS application.
4. The NestJS application’s handleData() function receives the TCP packet.
5. The handleData() function recursively processes each JSON message in the packet.
6. With each recursive call, the buffer shrinks.
7. The maxBufferSize is never reached because of the stack overflow.
8. The call stack overflows, leading to a RangeError and application crash, resulting in a denial of service.

Impact

Successful exploitation of CVE-2026-40879 leads to a denial-of-service condition. A single attacker can potentially bring down a vulnerable NestJS application with a relatively small payload of approximately 47KB. This can impact businesses relying on the affected NestJS application, leading to service disruptions and potential data loss. The vulnerability affects any application using NestJS versions before 11.1.19, making a large number of applications potentially vulnerable.

Recommendation

• Upgrade all NestJS applications to version 11.1.19 or later to patch CVE-2026-40879.
• Deploy the Sigma rule Detect Suspicious NestJS TCP Payload to identify potentially malicious TCP traffic targeting NestJS applications.
• Monitor network traffic for large TCP packets containing many small JSON messages, which may indicate an attempted exploit.

]]>highadvisorydenial-of-servicenestjsrecursioncve-2026-40879linux