Primary

Context

NestJS Microservices Recursive Data Handling Denial-of-Service Vulnerability

Vulnerability

A denial-of-service vulnerability has been identified in the NestJS framework, specifically in the microservices package, prior to version 11.1.19. The issue arises in the TCP transport layer, where the handleData() function recursively processes small, valid JSON messages sent within a single TCP frame. This recursion causes the call stack to overflow, as the maximum buffer size is not reached. A payload of approximately 47 KB is sufficient to trigger this RangeError, leading to a stack overflow.

Impact

Exploitation of this vulnerability causes a stack overflow, resulting in a denial-of-service condition.

Remediation

Users can upgrade to @nestjs/microservices version 11.1.19 to address this vulnerability.

Added: Apr 21, 2026, 8:50 PM

Updated: Apr 21, 2026, 8:50 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.4

remediation

0.0

relevance

6.4

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.4

remediation

0.0

relevance

6.4

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

NestJS Microservices Recursive Data Handling Denial-of-Service Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating