6.2
CVE-2026-40608
- EPSS 0.15%
- Veröffentlicht 21.04.2026 17:56:35
- Zuletzt bearbeitet 27.04.2026 19:41:49
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginNext AI Draw.io: Unbounded HTTP Body — Denial of Service
Next AI Draw.io is a next.js web application that integrates AI capabilities with draw.io diagrams. Prior to 0.4.15, the embedded HTTP sidecar contains three POST handlers (/api/state, /api/restore, and /api/history-svg) that process incoming requests by accumulating the entire request body into a JavaScript string without any size limitations. Node.js buffers the entire payload in the V8 heap. Sending a sufficiently large body (e.g., 500 MiB or more) will exhaust the process heap memory, leading to an Out-of-Memory (OOM) error that crashes the MCP server. This vulnerability is fixed in 0.4.15.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Dayuanjiang ≫ Next Ai Draw.Io Version < 0.4.15
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.15% | 0.042 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.5 | 1.8 | 3.6 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
|
| security-advisories@github.com | 6.2 | 2.5 | 3.6 |
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
CWE-770 Allocation of Resources Without Limits or Throttling
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
https://github.com/DayuanJiang/next-ai-draw-io/security/advisories/GHSA-9q7h-wgfw-p378
https://github.com/DayuanJiang/next-ai-draw-io/commit/31819f413cc4b329a1cb81e5fccd0cd98c1fd665