{"id":"CVE-2026-40608","summary":"Next AI Draw.io: Unbounded HTTP Body — Denial of Service","details":"Next AI Draw.io is a next.js web application that integrates AI capabilities with draw.io diagrams. Prior to 0.4.15, the embedded HTTP sidecar contains three POST handlers (/api/state, /api/restore, and /api/history-svg) that process incoming requests by accumulating the entire request body into a JavaScript string without any size limitations. Node.js buffers the entire payload in the V8 heap. Sending a sufficiently large body (e.g., 500 MiB or more) will exhaust the process heap memory, leading to an Out-of-Memory (OOM) error that crashes the MCP server. This vulnerability is fixed in 0.4.15.","aliases":["GHSA-9q7h-wgfw-p378"],"modified":"2026-07-08T08:13:12.500925171Z","published":"2026-04-21T17:56:35.046Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40608.json","cwe_ids":["CWE-770"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40608.json"},{"type":"ADVISORY","url":"https://github.com/DayuanJiang/next-ai-draw-io/security/advisories/GHSA-9q7h-wgfw-p378"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40608"},{"type":"FIX","url":"https://github.com/DayuanJiang/next-ai-draw-io/commit/31819f413cc4b329a1cb81e5fccd0cd98c1fd665"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/dayuanjiang/next-ai-draw-io","events":[{"introduced":"0"},{"fixed":"d4454beb9ace3ea63139653dc6d2ff2e40d68682"},{"fixed":"31819f413cc4b329a1cb81e5fccd0cd98c1fd665"}],"database_specific":{"source":["CPE_RANGE","REFERENCES"],"extracted_events":[{"introduced":"0"},{"fixed":"0.4.15"}],"cpe":"cpe:2.3:a:dayuanjiang:next_ai_draw.io:*:*:*:*:*:*:*:*"}}],"versions":["v0.4.14","v0.4.13","v0.4.12","v0.4.11","v0.4.10","v0.4.9","v0.4.8","v0.4.7","v0.4.6","v0.4.5","v0.4.4","v0.4.3","v0.4.1","v0.4.0","v0.3.0","v0.2.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40608.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}