NestJS Core Patches Critical Injection Vulnerability in Version 11.1.18

The NestJS team has released an urgent security patch addressing a critical injection vulnerability in @nestjs/core. The flaw, tracked as CVE-2026-35515 and catalogued under GHSA-36xv-jgw5-4q75, involves the improper neutralization of special elements in output used by a downstream component. The vulnerability affects versions prior to 11.1.18.

The patch upgrades @nestjs/core from version 11.1.17 to 11.1.18 and was distributed through automated dependency management via Renovate Bot. While the technical specifics of the exploit remain limited in public documentation, injection vulnerabilities of this class typically involve untrusted data being passed into application components without adequate sanitization, potentially allowing attackers to manipulate downstream processing.

Developers and organizations using @nestjs/core in production environments are advised to update immediately. The vulnerability carries significant risk for applications that process user-supplied input through NestJS decorators, guards, or custom middleware. Security teams should audit their dependency trees to confirm all instances of the affected package have been patched, and monitor for unusual activity that may indicate active exploitation attempts.