Vulnerability in Cap project

[ankitdn]

While working on Cap project, I scanned the dependency manifest and found that it uses a vulnerable version of @nestjs/core. The scan revealed an injection issue in Server-Sent Events handling, where unsanitized type and id fields can allow attackers to inject arbitrary events or manipulate SSE streams, potentially leading to spoofing or data injection.

CVE Report
CVE Link

[linear]

CAP-677

[tembo]

Thanks for the report. I checked the codebase and can confirm @nestjs/core@11.1.17 is present as a transitive dependency - it's pulled in by the workflow package (version 4.2.0-beta.73) used in apps/web/package.json.

The workflow package depends on @workflow/nest, which has @nestjs/core as a peer dependency. The NestJS components are used internally by the workflow library for its task orchestration system.

Relevant files:

• apps/web/package.json - declares "workflow": "4.2.0-beta.73"
• Workflow usage in apps/web/workflows/ (transcribe.ts, process-video.ts, generate-ai.ts, import-loom-video.ts)

Potential fix paths:

1. Check if a newer version of the workflow package uses an updated @nestjs/core - there are newer beta versions available (up to 4.2.0-beta.76)
2. If the upstream workflow package hasn't updated its NestJS dependency yet, this would need to be addressed there first
3. Alternatively, an overrides field in the root package.json could force a patched @nestjs/core version once one is released

It's worth noting that @nestjs/core@11.1.18 exists - if that version contains the fix, an override might work. However, the SSE vulnerability impact depends on whether Cap actually uses NestJS SSE functionality directly. From a quick search, Cap doesn't appear to use SSE endpoints through NestJS itself - the workflow library uses NestJS internally for its orchestration, not for handling user-facing HTTP requests.

Could you clarify which version of @nestjs/core contains the fix for CVE-2026-35515? That would help determine the remediation path.