AI Security Summary
NestJS applications are exposed across HTTP client behavior, JWT verification, template/object utilities, and SSE/streaming endpoints. The recurring mistake is trusting library defaults and user-controlled input without explicit guards at every trust boundary.
Prototype Pollution Gadget Chains in Axios and Lodash
Covers: CVE-2026-42033 · CVE-2026-42035 · CVE-2026-42041 · CVE-2026-42042 · CVE-2026-4800 · CVE-2025-13465 · CVE-2026-2950 · CVE-2026-25639 Risk: Polluted Object.prototype properties are silently read by Axios and Lodash, enabling header injection, auth bypass, XSRF leakage, and DoS crashes.
- NEVER merge or assign user-controlled objects without first stripping proto, constructor, and prototype keys at every entry point.
- ALWAYS use Object.create(null) or structuredClone with prototype-free checks when building config or options objects from external input.
- NEVER rely on truthy/falsy coercion for security-critical config flags such as XSRF token guards — ALWAYS use strict boolean comparison.
- NEVER pass JSON.parse() output directly into library config or merge functions without sanitizing inherited-property attack paths.
- ALWAYS validate that path segments passed to object-manipulation utilities cannot reference prototype chain members, including via array-wrapped segments.
SSRF and Proxy Bypass via Axios URL and NO_PROXY Handling
Covers: CVE-2025-27152 · CVE-2025-62718 · CVE-2026-42043 · CVE-2026-42038 · CVE-2026-40175 Risk: Axios fails to normalize hostnames and absolute URLs against NO_PROXY rules, letting attackers route requests through attacker-controlled proxies or internal metadata services.
- NEVER construct Axios request URLs from user-supplied input without first parsing and validating the scheme, host, and path components server-side.
- ALWAYS canonicalize hostnames — resolving trailing dots, IPv6 literals, and loopback aliases — before comparing against any proxy-bypass allowlist.
- NEVER assume that setting baseURL prevents Axios from honoring an absolute URL supplied in the request path; validate and strip absolute overrides explicitly.
- ALWAYS maintain an explicit allowlist of permitted outbound destinations and block any request that resolves to a loopback, link-local, or cloud-metadata address.
- NEVER inject Axios headers from sources that may have been tainted by prototype pollution in any co-dependency — audit the full header assembly path.
Code Injection via Lodash Template and Unbounded Recursion DoS
Covers: CVE-2021-23337 · CVE-2020-28500 · CVE-2026-42039 · CVE-2021-3749 Risk: Passing user-controlled strings to lodash template/trim functions or deeply nested objects to Axios toFormData can execute arbitrary code or crash the Node.js process.
- NEVER pass user-supplied strings as the template source, variable name, or imports key names to lodash's _.template function.
- NEVER pass user-controlled data as the imports option keys to any utility that ultimately constructs a Function() — treat those key names as code.
- ALWAYS enforce a maximum nesting depth on objects before passing them to any serialization or form-data helper that recurses without a depth limit.
- NEVER apply lodash string-manipulation helpers such as trim or toNumber directly to unbounded, user-supplied strings without length and character constraints.
JWT Algorithm Confusion and Signature Verification Bypass
Covers: CVE-2022-23539 · CVE-2022-23540 · CVE-2022-23541 Risk: Absent explicit algorithm and key-type constraints in jwt.verify(), attackers can forge tokens using the none algorithm or mismatched key types such as RSA public keys as HMAC secrets.
- ALWAYS pass an explicit algorithms allowlist to jwt.verify() — never allow the library to infer or default the acceptable algorithm.
- NEVER accept a token whose header algorithm does not exactly match the algorithm bound to the signing key in your application's key registry.
- ALWAYS enforce a strict mapping between key type and algorithm so that RSA/EC public keys cannot be used as symmetric HMAC secrets and vice versa.
- NEVER permit a falsy, null, or undefined secret/key value to reach jwt.verify() — treat any missing key as a hard verification failure.
NestJS Protocol-Level Injection and Streaming Resource Leaks
Covers: CVE-2023-26108 · CVE-2024-29409 · CVE-2026-35515 · CVE-2026-42034 · CVE-2026-42036 · CVE-2023-45857 Risk: Unsanitized Content-Type headers, SSE message fields, and unbounded streams allow code execution, protocol injection, credential exposure, and resource exhaustion in NestJS services.
- NEVER interpolate message.type, message.id, or any user-controlled string into SSE output without stripping all newline characters (\r and \n).
- ALWAYS validate and allowlist the Content-Type header server-side before routing file-upload requests — never trust the client-declared MIME type for execution decisions.
- ALWAYS attach an abort or close handler to every StreamableFile or piped stream so that client disconnection cannot leave server-side streams open indefinitely.
- NEVER rely on Axios maxBodyLength or maxContentLength to limit streamed request or response bodies — enforce size limits in your own streaming middleware.
- NEVER allow the XSRF-TOKEN cookie value to be forwarded as an HTTP header to hosts outside the origin that set it — scope XSRF transmission explicitly.
Cross-cutting patterns (all NestJS projects)
- ALWAYS treat every library configuration object as a potential injection surface and validate its shape with a strict schema before use.
- NEVER allow user-controlled input to reach a library function without first applying input length limits, character allowlists, and structural depth constraints.
- ALWAYS explicitly declare every security-relevant option (algorithm, key type, size limit, proxy rules) rather than relying on library defaults.
- NEVER forward sensitive tokens, cookies, or credentials in outbound requests without verifying the destination host matches an explicit allowlist.