Uncontrolled Recursion Affecting @nestjs/microservices package, versions <11.1.19
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-NESTJSMICROSERVICES-16082546
- published16 Apr 2026
- disclosed14 Apr 2026
- credithwpark6804-gif
Introduced: 14 Apr 2026
New CVE NOT AVAILABLE CWE-674 (opens in a new tab)How to fix?
Upgrade @nestjs/microservices to version 11.1.19 or higher.
Overview
@nestjs/microservices is a Nest - modern, fast, powerful node.js web framework (@microservices)
Affected versions of this package are vulnerable to Uncontrolled Recursion through the handleData() function in packages/microservices/helpers/json-socket.ts. An attacker can crash the TCP microservice by sending a large burst of pipelined "<len>#<json>" frames in a single read, causing recursive frame processing to exhaust the call stack and terminate the connection. When the service processes untrusted TCP input, a crafted stream of many small valid frames can bring down the microservice and prevent it from responding to subsequent requests.