Skip to content
This repository was archived by the owner on Apr 30, 2026. It is now read-only.

chore(deps): update dependency @nestjs/core to v11.1.18 [security]#268

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-nestjs-core-vulnerability
Open

chore(deps): update dependency @nestjs/core to v11.1.18 [security]#268
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-nestjs-core-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Apr 7, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
@nestjs/core (source) 11.1.1411.1.18 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


@​nestjs/core Improperly Neutralizes Special Elements in Output Used by a Downstream Component ('Injection')

CVE-2026-35515 / GHSA-36xv-jgw5-4q75

More information

Details

Impact

What kind of vulnerability is it? Who is impacted?

SseStream._transform() interpolates message.type and message.id directly into Server-Sent Events text protocol output without sanitizing newline characters (\r, \n). Since the SSE protocol treats both \r and \n as field delimiters and \n\n as event boundaries, an attacker who can influence these fields through upstream data sources can inject arbitrary SSE events, spoof event types, and corrupt reconnection state. Spring Framework's own security patch (6e97587) validates these same fields (id, event) for the same reason.

Actual impact:

  • Event spoofing: Attacker forges SSE events with arbitrary event: types, causing client-side EventSource.addEventListener() callbacks to fire for wrong event types.
  • Data injection: Attacker injects arbitrary data: payloads, potentially triggering XSS if the client renders SSE data as HTML without sanitization.
  • Reconnection corruption: Attacker injects id: fields, corrupting the Last-Event-ID header on reconnection, causing the client to miss or replay events.
  • Attack precondition: Requires the developer to map user-influenced data to the type or id fields of SSE messages. Direct HTTP request input does not reach these fields without developer code bridging the gap.
Patches

Has the problem been patched? What versions should users upgrade to?

Patched in @nestjs/core@11.1.18

Severity

  • CVSS Score: 6.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

nestjs/nest (@​nestjs/core)

v11.1.18

Compare Source

v11.1.18 (2026-04-03)

Bug fixes
Dependencies
Committers: 6

v11.1.17

Compare Source

v11.1.17 (2026-03-16)
Enhancements
Bugs
  • platform-fastify
    • auto-run middleware for HEAD requests as fastify redirects them to GET handlers (effectively skipping middleware execution) cbdf737 (@​kamilmysliwiec)
Dependencies
Committers: 3

v11.1.16

Compare Source

v11.1.16 (2026-03-05)
Bug fixes
  • microservices
Dependencies
Committers: 2

v11.1.15

Compare Source

What's Changed
New Contributors

Full Changelog: nestjs/nest@v11.1.14...v11.1.15


Configuration

📅 Schedule: (in timezone America/Vancouver)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot enabled auto-merge (squash) April 7, 2026 00:48
@renovate renovate Bot changed the title chore(deps): update dependency @nestjs/core to v11.1.18 [security] chore(deps): update dependency @nestjs/core to v11.1.18 [security] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
auto-merge was automatically disabled April 27, 2026 18:52

Pull request was closed

@renovate renovate Bot deleted the renovate/npm-nestjs-core-vulnerability branch April 27, 2026 18:52
@renovate renovate Bot changed the title chore(deps): update dependency @nestjs/core to v11.1.18 [security] - autoclosed chore(deps): update dependency @nestjs/core to v11.1.18 [security] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/npm-nestjs-core-vulnerability branch 2 times, most recently from 17b328a to 2f4d78d Compare April 27, 2026 22:45
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants