CVE-2026-35515

Name of the Vulnerable Software and Affected Versions Nest versions prior to 11.1.18

Description The SseStream. transform() function interpolates message.type and message.id directly into Server-Sent Events text protocol output without sanitizing newline characters (r, ). Because the SSE protocol uses both r and as field delimiters and

as event boundaries, an attacker who can influence these fields can inject arbitrary SSE events, spoof event types, and corrupt reconnection state. An attacker can forge SSE events with arbitrary event: types, causing client-side EventSource.addEventListener() callbacks to fire for incorrect event types. They can also inject arbitrary data: payloads, potentially leading to XSS if the client renders SSE data as HTML without sanitization. Additionally, attackers can inject id: fields, corrupting the Last-Event-ID header on reconnection, causing the client to miss or replay events. The attack requires the developer to map user-influenced data to the type or id fields of SSE messages.

Recommendations Update to version 11.1.18 or later.