CVE-2026-40879

Name of the Vulnerable Software and Affected Versions Nest versions prior to 11.1.19

Description An issue exists where an attacker can send numerous small, valid JSON messages within a single TCP frame. This causes the handleData() function to recurse once for every message, shrinking the buffer with each call. Because maxBufferSize is not reached, the call stack overflows, and a payload of approximately 47 KB is sufficient to trigger a RangeError.

Recommendations Update to version 11.1.19.