CVE-2026-40879

High

Published: 21 April 2026

Published

21 April 2026

Modified

24 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0006 17.5th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40879 is a high-severity Uncontrolled Recursion (CWE-674) vulnerability in Nestjs Nest. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 17.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-5 (Denial-of-service Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the stack overflow vulnerability by requiring timely patching of the Nest framework to version 11.1.19 or later where the uncontrolled recursion in handleData() is fixed.

SC-5 Denial-of-service Protection partial match

prevent

Protects system availability against the DoS from recursive processing of multiple small JSON messages in a single TCP frame by implementing denial-of-service safeguards like rate limiting or resource controls.

SI-9 Information Input Restrictions partial match

prevent

Restricts the quantity of valid JSON messages receivable in a single TCP frame to prevent the recursion depth that bypasses maxBufferSize and causes stack overflow.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Stack overflow via uncontrolled recursion in public-facing Nest.js app enables remote DoS by crashing the server, directly matching application/system exploitation for endpoint denial of service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.19, when an attacker sends many small, valid JSON messages in one TCP frame, handleData() recurses once per message; the buffer shrinks each call. maxBufferSize is never reached;…

call stack overflows instead. A ~47 KB payload is sufficient to trigger RangeError. This vulnerability is fixed in 11.1.19.

Deeper analysisAI

CVE-2026-40879 is a stack overflow vulnerability in the Nest framework, used for building scalable Node.js server-side applications. In versions prior to 11.1.19, the handleData() function recurses once per small, valid JSON message when an attacker sends many such messages in a single TCP frame. Although the buffer shrinks with each recursive call, the maxBufferSize limit is never reached, causing a call stack overflow and triggering a RangeError. A payload of approximately 47 KB is sufficient to exploit this issue, which is classified as CWE-674 (Uncontrolled Recursion).

A remote, unauthenticated attacker can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L), no privileges (PR:N), and no user interaction (UI:N). Successful exploitation leads to a denial of service through server crash, with a CVSS v3.1 base score of 7.5 (high availability impact, no confidentiality or integrity impact, unchanged scope).

The issue was addressed in Nest version 11.1.19. Security practitioners should upgrade to this version or later to mitigate the vulnerability. Additional details are available in the GitHub Security Advisory at https://github.com/nestjs/nest/security/advisories/GHSA-hpwf-8g29-85qm.