VYPR
← All advisories
Medium severity6.2NVD Advisory· Published Apr 21, 2026· Updated Apr 27, 2026

CVE-2026-40608

CVE-2026-40608

Description

Next AI Draw.io is a next.js web application that integrates AI capabilities with draw.io diagrams. Prior to 0.4.15, the embedded HTTP sidecar contains three POST handlers (/api/state, /api/restore, and /api/history-svg) that process incoming requests by accumulating the entire request body into a JavaScript string without any size limitations. Node.js buffers the entire payload in the V8 heap. Sending a sufficiently large body (e.g., 500 MiB or more) will exhaust the process heap memory, leading to an Out-of-Memory (OOM) error that crashes the MCP server. This vulnerability is fixed in 0.4.15.

Affected products

1

Patches

1
31819f413cc4

fix: add 10MB body size limit to MCP HTTP endpoints (#791)

https://github.com/DayuanJiang/next-ai-draw-ioDayuan JiangApr 6, 2026via nvd-ref
commit
2 files changed · +27 16
  • packages/mcp-server/package.json+1 1 modified
    @@ -1,6 +1,6 @@
 {
     "name": "@next-ai-drawio/mcp-server",
-    "version": "0.1.18",
+    "version": "0.1.19",
     "description": "MCP server for Next AI Draw.io - AI-powered diagram generation with real-time browser preview",
     "type": "module",
     "main": "dist/index.js",
  • packages/mcp-server/src/http-server.ts+26 15 modified
    @@ -4,6 +4,29 @@
  */
 
 import http from "node:http"
+
+const MAX_BODY_BYTES = 10 * 1024 * 1024 // 10 MiB
+
+function readBody(
+    req: http.IncomingMessage,
+    res: http.ServerResponse,
+    cb: (body: string) => void,
+): void {
+    let body = ""
+    let size = 0
+    req.on("data", (chunk: Buffer) => {
+        size += chunk.length
+        if (size > MAX_BODY_BYTES) {
+            res.writeHead(413, { "Content-Type": "application/json" })
+            res.end(JSON.stringify({ error: "Payload too large" }))
+            req.destroy()
+            return
+        }
+        body += chunk
+    })
+    req.on("end", () => cb(body))
+}
+
 import {
     addHistory,
     clearHistory,
@@ -266,11 +289,7 @@ function handleStateApi(
             }),
         )
     } else if (req.method === "POST") {
-        let body = ""
-        req.on("data", (chunk) => {
-            body += chunk
-        })
-        req.on("end", () => {
+        readBody(req, res, (body) => {
             try {
                 const data = JSON.parse(body)
                 const { sessionId } = data
@@ -347,11 +366,7 @@ function handleRestoreApi(
         return
     }
 
-    let body = ""
-    req.on("data", (chunk) => {
-        body += chunk
-    })
-    req.on("end", () => {
+    readBody(req, res, (body) => {
         try {
             const { sessionId, index } = JSON.parse(body)
             if (!sessionId || index === undefined) {
@@ -393,11 +408,7 @@ function handleHistorySvgApi(
         return
     }
 
-    let body = ""
-    req.on("data", (chunk) => {
-        body += chunk
-    })
-    req.on("end", () => {
+    readBody(req, res, (body) => {
         try {
             const { sessionId, svg } = JSON.parse(body)
             if (!sessionId || !svg) {

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.