Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
Nest Microservices Prone to Crash from Large JSON Payloads
GHSA-hpwf-8g29-85qm
Summary
Nest microservices may crash if an attacker sends a large number of small, valid JSON messages in a single TCP frame. This can cause the call stack to overflow, leading to a crash. Update to Nest version 11.1.19 or later to fix this issue.
What to do
- Update nestjs microservices to version 11.1.19.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| nestjs | microservices | <= 11.1.18 | 11.1.19 |
Original title
Nest Affected by DoS via Recursive handleData in JsonSocket (TCP Transport)
Original description
### Impact
Attacker sends many small, valid JSON messages in one TCP frame
→ handleData() recurses once per message; buffer shrinks each call
→ maxBufferSize is never reached; call stack overflows instead
→ A ~47 KB payload is sufficient to trigger RangeError
### Patches
Fixed in `@nestjs/[email protected]`
### References
Discovered by https://github.com/hwpark6804-gif
Attacker sends many small, valid JSON messages in one TCP frame
→ handleData() recurses once per message; buffer shrinks each call
→ maxBufferSize is never reached; call stack overflows instead
→ A ~47 KB payload is sufficient to trigger RangeError
### Patches
Fixed in `@nestjs/[email protected]`
### References
Discovered by https://github.com/hwpark6804-gif
ghsa CVSS3.1
7.5
Vulnerability type
CWE-770
Allocation of Resources Without Limits
Published: 14 Apr 2026 · Updated: 14 Apr 2026 · First seen: 14 Apr 2026