CVE-2026-40608

low-risk
Published 2026-04-21

Next AI Draw.io is a next.js web application that integrates AI capabilities with draw.io diagrams. Prior to 0.4.15, the embedded HTTP sidecar contains three POST handlers (/api/state, /api/restore, and /api/history-svg) that process incoming requests by accumulating the entire request body into a JavaScript string without any size limitations. Node.js buffers the entire payload in the V8 heap. Sending a sufficiently large body (e.g., 500 MiB or more) will exhaust the process heap memory, leading to an Out-of-Memory (OOM) error that crashes the MCP server. This vulnerability is fixed in 0.4.15.

Do I need to act?

-
0.02% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.2/10 Medium
LOCAL / LOW complexity

Affected Products (1)

Next Ai Draw.Io

Affected Vendors

Dayuanjiang

References (3)

Patch https://github.com/DayuanJiang/next-ai-draw-io/commit/31819f413cc4b329a1cb81e5fc...
Exploit https://github.com/DayuanJiang/next-ai-draw-io/security/advisories/GHSA-9q7h-wgf...
Exploit https://github.com/DayuanJiang/next-ai-draw-io/security/advisories/GHSA-9q7h-wgf...
25
/ 100
low-risk
Severity 20/34 · Moderate
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal