{"id":"GHSA-cj7v-w2c7-cp7c","summary":"nest allows a remote attacker to execute arbitrary code via the Content-Type header","details":"File Upload vulnerability in nestjs nest prior to v.11.0.16 allows a remote attacker to execute arbitrary code via the Content-Type header.","aliases":["CVE-2024-29409"],"modified":"2025-04-14T22:25:17Z","published":"2025-03-14T18:30:51Z","database_specific":{"github_reviewed_at":"2025-03-27T21:13:49Z","github_reviewed":true,"cwe_ids":["CWE-94"],"nvd_published_at":"2025-03-14T18:15:27Z","severity":"MODERATE"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-29409"},{"type":"WEB","url":"https://github.com/nestjs/nest/issues/13311#issuecomment-1993839495"},{"type":"WEB","url":"https://github.com/nestjs/nest/issues/14876"},{"type":"WEB","url":"https://github.com/nestjs/nest/issues/14876#issuecomment-2796888038"},{"type":"WEB","url":"https://github.com/nestjs/nest/pull/14881"},{"type":"WEB","url":"https://gist.github.com/aydinnyunus/801342361584d1491c67a820a714f53f"},{"type":"PACKAGE","url":"https://github.com/nestjs/nest"},{"type":"WEB","url":"https://github.com/nestjs/nest/blob/83a48b2c7396985144b7a6cd5d3bee1abb7c5d81/packages/common/pipes/file/file-type.validator.ts#L19"},{"type":"WEB","url":"https://github.com/nestjs/nest/releases/tag/v10.4.16"},{"type":"WEB","url":"https://github.com/nestjs/nest/releases/tag/v11.0.16"}],"affected":[{"package":{"name":"@nestjs/common","ecosystem":"npm","purl":"pkg:npm/%40nestjs/common"},"ranges":[{"type":"SEMVER","events":[{"introduced":"11.0.0-next.1"},{"fixed":"11.0.16"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-cj7v-w2c7-cp7c/GHSA-cj7v-w2c7-cp7c.json"}},{"package":{"name":"@nestjs/common","ecosystem":"npm","purl":"pkg:npm/%40nestjs/common"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"10.4.16"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-cj7v-w2c7-cp7c/GHSA-cj7v-w2c7-cp7c.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L"}]}