Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in @nestjs/core | CVE-2026-35515

Q: How to fix?

Upgrade @nestjs/core to version 11.1.18 or higher.

Introduced: 6 Apr 2026

NewCVE-2026-35515 (opens in a new tab) CWE-74 (opens in a new tab)

How to fix?

Upgrade @nestjs/core to version 11.1.18 or higher.

Overview

@nestjs/core is a Nest - modern, fast, powerful node.js web framework (@core)

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') via the SseStream._transform function. An attacker can inject arbitrary Server-Sent Events, spoof event types, and corrupt reconnection state by supplying specially crafted newline characters in upstream data that is mapped to the type or id fields.

Note:

This is only exploitable if user-influenced data is mapped to these fields by developer code.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
Present
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
Low
Availability (VA)
Low

Confidentiality (SC)
None
Integrity (SI)
Low
Availability (SA)
None

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Affecting @nestjs/core package, versions <11.1.18

Severity

Do your applications use this vulnerable package?

Introduced: 6 Apr 2026

How to fix?

Overview

References

CVSS Base Scores

Snyk