Listen to this Post
How the mentioned CVE works:
The vulnerability exists in `SseStream._transform()` within @nestjs/core. This method handles Server-Sent Events (SSE) streaming by interpolating user-controlled `message.type` and `message.id` directly into the SSE protocol output without sanitizing newline characters (\r, \n). In the SSE specification, `\r` and `\n` act as field delimiters, while `\n\n` signals an event boundary. An attacker who can influence these fields through upstream data sources (e.g., database values, API responses) can inject arbitrary newlines. For example, setting `message.type = “event\nid: injected\n\n”` breaks the expected event structure. This allows three attack primitives: (1) event spoofing – forging arbitrary `event:` types to trigger wrong client-side `EventSource.addEventListener()` callbacks; (2) data injection – injecting `data:` payloads that may lead to XSS if the client renders SSE data as HTML; (3) reconnection corruption – injecting `id:` fields to alter the `Last-Event-ID` header, causing missed or replayed events on reconnection. The attack requires the developer to map user-influenced data to the `type` or `id` fields of SSE messages; direct HTTP request input does not reach these fields without custom bridging code. Spring Framework previously patched the identical issue (commit 6e97587) by validating `id` and `event` fields. The NestJS fix was released in version 11.1.18.
dailycve form:
Platform: @nestjs/core
Version: <=11.1.17
Vulnerability: SSE injection
Severity: Medium
date: 2025-04-07
Prediction: 2025-04-08
What Undercode Say:
Check vulnerable version
npm list @nestjs/core | grep -E "11.[0-1].(0?[0-9]|1[0-7])$"
Simulate injection via message.type
curl -X POST http://target/sse-endpoint \
-H "Content-Type: application/json" \
-d '{"type":"event\nid: injected\n\ndata: malicious","id":"normal"}'
Monitor SSE stream for newline injection
while IFS= read -r line; do echo "$line" | grep -E "event:|id:|data:"; done
Exploit:
Attacker controls a field mapped to `message.type` and injects \nevent: forged\nid: 123\n\n. The SSE parser on client side interprets this as separate events, firing wrong callbacks.
Protection from this CVE:
Upgrade to `@nestjs/[email protected]` or later. Alternatively, sanitize `type` and `id` by stripping \r, \n, and validating against allowed characters before passing to SSE stream.
Impact:
Event spoofing (wrong callbacks), data injection (potential XSS), reconnection state corruption (missed/replayed events). Requires developer-controlled mapping of untrusted input to SSE fields.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

