fix(deps): update dependency @nestjs/core to ^11.1.18 [security]#852
Open
renovate[bot] wants to merge 1 commit into
Open
fix(deps): update dependency @nestjs/core to ^11.1.18 [security]#852renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
Contributor
Coverage Report for packages/configs/vitest-config
File CoverageNo changed files found. |
renovate
Bot
force-pushed
the
renovate/npm-nestjs-core-vulnerability
branch
from
April 14, 2026 17:51
4189aa4 to
70fcb78
Compare
renovate
Bot
force-pushed
the
renovate/npm-nestjs-core-vulnerability
branch
from
April 21, 2026 13:12
70fcb78 to
9402a3b
Compare
renovate
Bot
force-pushed
the
renovate/npm-nestjs-core-vulnerability
branch
from
April 21, 2026 14:40
9402a3b to
cb21acb
Compare
renovate
Bot
force-pushed
the
renovate/npm-nestjs-core-vulnerability
branch
3 times, most recently
from
April 29, 2026 16:03
2040a9f to
62684ea
Compare
renovate
Bot
force-pushed
the
renovate/npm-nestjs-core-vulnerability
branch
from
April 29, 2026 21:13
62684ea to
e67d99d
Compare
renovate
Bot
force-pushed
the
renovate/npm-nestjs-core-vulnerability
branch
from
May 12, 2026 16:45
e67d99d to
b793097
Compare
renovate
Bot
force-pushed
the
renovate/npm-nestjs-core-vulnerability
branch
from
May 12, 2026 21:18
b793097 to
0b6a96e
Compare
renovate
Bot
force-pushed
the
renovate/npm-nestjs-core-vulnerability
branch
from
May 28, 2026 18:09
accb67f to
93d6ec7
Compare
renovate
Bot
force-pushed
the
renovate/npm-nestjs-core-vulnerability
branch
from
May 29, 2026 00:51
93d6ec7 to
80611da
Compare
renovate
Bot
force-pushed
the
renovate/npm-nestjs-core-vulnerability
branch
from
June 1, 2026 17:58
80611da to
1154b98
Compare
renovate
Bot
force-pushed
the
renovate/npm-nestjs-core-vulnerability
branch
from
June 2, 2026 01:00
1154b98 to
d28209a
Compare
renovate
Bot
force-pushed
the
renovate/npm-nestjs-core-vulnerability
branch
from
June 11, 2026 16:19
d28209a to
b22dd96
Compare
renovate
Bot
force-pushed
the
renovate/npm-nestjs-core-vulnerability
branch
from
June 12, 2026 00:56
b22dd96 to
0c12d97
Compare
renovate
Bot
force-pushed
the
renovate/npm-nestjs-core-vulnerability
branch
from
July 3, 2026 09:52
0c12d97 to
9753a74
Compare
renovate
Bot
force-pushed
the
renovate/npm-nestjs-core-vulnerability
branch
from
July 3, 2026 14:02
9753a74 to
84cb269
Compare
renovate
Bot
force-pushed
the
renovate/npm-nestjs-core-vulnerability
branch
from
July 12, 2026 11:16
84cb269 to
f9dec95
Compare
renovate
Bot
force-pushed
the
renovate/npm-nestjs-core-vulnerability
branch
from
July 12, 2026 16:47
f9dec95 to
b594ae3
Compare
renovate
Bot
force-pushed
the
renovate/npm-nestjs-core-vulnerability
branch
from
July 17, 2026 01:05
b594ae3 to
76cf15f
Compare
renovate
Bot
force-pushed
the
renovate/npm-nestjs-core-vulnerability
branch
from
July 17, 2026 11:19
76cf15f to
d57e3ee
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^11.1.14→^11.1.18@nestjs/core Improperly Neutralizes Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2026-35515 / GHSA-36xv-jgw5-4q75
More information
Details
Impact
What kind of vulnerability is it? Who is impacted?
SseStream._transform()interpolatesmessage.typeandmessage.iddirectly into Server-Sent Events text protocol output without sanitizing newline characters (\r,\n). Since the SSE protocol treats both\rand\nas field delimiters and\n\nas event boundaries, an attacker who can influence these fields through upstream data sources can inject arbitrary SSE events, spoof event types, and corrupt reconnection state. Spring Framework's own security patch (6e97587) validates these same fields (id,event) for the same reason.Actual impact:
event:types, causing client-sideEventSource.addEventListener()callbacks to fire for wrong event types.data:payloads, potentially triggering XSS if the client renders SSE data as HTML without sanitization.id:fields, corrupting theLast-Event-IDheader on reconnection, causing the client to miss or replay events.typeoridfields of SSE messages. Direct HTTP request input does not reach these fields without developer code bridging the gap.Patches
Has the problem been patched? What versions should users upgrade to?
Patched in
@nestjs/core@11.1.18Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
nestjs/nest (@nestjs/core)
v11.1.18Compare Source
v11.1.18 (2026-04-03)
Bug fixes
microservicescoreDependencies
core,platform-express,platform-fastifyplatform-fastifyplatform-wscommonCommitters: 6
v11.1.17Compare Source
v11.1.17 (2026-03-16)
Enhancements
microservicesBugs
platform-fastifycbdf737(@kamilmysliwiec)Dependencies
commonplatform-fastifyCommitters: 3
v11.1.16Compare Source
v11.1.16 (2026-03-05)
Bug fixes
microservicesDependencies
platform-expressCommitters: 2
v11.1.15Compare Source
What's Changed
New Contributors
Full Changelog: nestjs/nest@v11.1.14...v11.1.15
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.