(NestJS), Server-Sent Events Injection, CVE-UNKNOWN (Medium)

Listen to this Post

How the mentioned CVE works:

The vulnerability exists in `SseStream._transform()` within @nestjs/core. This method handles Server-Sent Events (SSE) streaming by interpolating user-controlled `message.type` and `message.id` directly into the SSE protocol output without sanitizing newline characters (\r, \n). In the SSE specification, `\r` and `\n` act as field delimiters, while `\n\n` signals an event boundary. An attacker who can influence these fields through upstream data sources (e.g., database values, API responses) can inject arbitrary newlines. For example, setting `message.type = “event\nid: injected\n\n”` breaks the expected event structure. This allows three attack primitives: (1) event spoofing – forging arbitrary `event:` types to trigger wrong client-side `EventSource.addEventListener()` callbacks; (2) data injection – injecting `data:` payloads that may lead to XSS if the client renders SSE data as HTML; (3) reconnection corruption – injecting `id:` fields to alter the `Last-Event-ID` header, causing missed or replayed events on reconnection. The attack requires the developer to map user-influenced data to the `type` or `id` fields of SSE messages; direct HTTP request input does not reach these fields without custom bridging code. Spring Framework previously patched the identical issue (commit 6e97587) by validating `id` and `event` fields. The NestJS fix was released in version 11.1.18.

dailycve form:

Platform: @nestjs/core
Version: <=11.1.17
Vulnerability: SSE injection
Severity: Medium
date: 2025-04-07

Prediction: 2025-04-08

What Undercode Say:

Check vulnerable version
npm list @nestjs/core | grep -E "11.[0-1].(0?[0-9]|1[0-7])$"
Simulate injection via message.type
curl -X POST http://target/sse-endpoint \
-H "Content-Type: application/json" \
-d '{"type":"event\nid: injected\n\ndata: malicious","id":"normal"}'
Monitor SSE stream for newline injection
while IFS= read -r line; do echo "$line" | grep -E "event:|id:|data:"; done

Exploit:

Attacker controls a field mapped to `message.type` and injects \nevent: forged\nid: 123\n\n. The SSE parser on client side interprets this as separate events, firing wrong callbacks.

Protection from this CVE:

Upgrade to `@nestjs/[email protected]` or later. Alternatively, sanitize `type` and `id` by stripping \r, \n, and validating against allowed characters before passing to SSE stream.

Impact:

Event spoofing (wrong callbacks), data injection (potential XSS), reconnection state corruption (missed/replayed events). Requires developer-controlled mapping of untrusted input to SSE fields.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top