Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
Nest Microservices Can Be Crashed by Malicious JSON Messages
GHSA-hpwf-8g29-85qm
Summary
Nest Microservices may crash if an attacker sends a large number of small, valid JSON messages, causing the system to run out of memory and crash. This issue has been fixed in version 11.1.19 of the @nestjs/microservices package. If you're using an earlier version, update to the latest version to prevent this problem.
What to do
- Update nestjs @nestjs/microservices to version 11.1.19.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| nestjs | @nestjs/microservices | <= 11.1.19 | 11.1.19 |
Original title
Nest Affected by DoS via Recursive handleData in JsonSocket (TCP Transport)
Original description
### Impact
Attacker sends many small, valid JSON messages in one TCP frame
→ handleData() recurses once per message; buffer shrinks each call
→ maxBufferSize is never reached; call stack overflows instead
→ A ~47 KB payload is sufficient to trigger RangeError
### Patches
Fixed in `@nestjs/[email protected]`
### References
Discovered by https://github.com/hwpark6804-gif
Attacker sends many small, valid JSON messages in one TCP frame
→ handleData() recurses once per message; buffer shrinks each call
→ maxBufferSize is never reached; call stack overflows instead
→ A ~47 KB payload is sufficient to trigger RangeError
### Patches
Fixed in `@nestjs/[email protected]`
### References
Discovered by https://github.com/hwpark6804-gif
osv CVSS3.1
7.5
Vulnerability type
CWE-770
Allocation of Resources Without Limits
Published: 14 Apr 2026 · Updated: 14 Apr 2026 · First seen: 14 Apr 2026