CVE-2026-40608: Next AI Draw.io DoS Vulnerability

CVE-2026-40608 Overview

Next AI Draw.io is a Next.js web application that integrates AI capabilities with draw.io diagrams. A memory exhaustion vulnerability exists in versions prior to 0.4.15 that allows attackers to crash the MCP server by sending oversized HTTP request bodies to specific API endpoints.

The embedded HTTP sidecar contains three POST handlers (/api/state, /api/restore, and /api/history-svg) that process incoming requests by accumulating the entire request body into a JavaScript string without any size limitations. Since Node.js buffers the entire payload in the V8 heap, sending a sufficiently large body (e.g., 500 MiB or more) exhausts the process heap memory, leading to an Out-of-Memory (OOM) error that crashes the MCP server.

Critical Impact

Unauthenticated attackers can cause complete denial of service by crashing the MCP server through memory exhaustion, disrupting AI-powered diagramming functionality for all users.

Affected Products

• Next AI Draw.io versions prior to 0.4.15
• MCP server HTTP sidecar component
• Applications using vulnerable /api/state, /api/restore, and /api/history-svg endpoints

Discovery Timeline

• 2026-04-21 - CVE CVE-2026-40608 published to NVD
• 2026-04-22 - Last updated in NVD database

Technical Details for CVE-2026-40608

Vulnerability Analysis

This vulnerability is classified as CWE-770 (Allocation of Resources Without Limits or Throttling). The core issue stems from the HTTP sidecar's request handling implementation in the MCP server component. When processing POST requests to the affected endpoints, the server accumulates request body data into a JavaScript string variable without enforcing any maximum size constraints.

Node.js's V8 JavaScript engine stores strings in heap memory. When an attacker sends a multi-hundred megabyte request body, the entire payload is buffered in memory before processing. This design flaw enables trivial resource exhaustion attacks where an attacker can force the server to allocate memory until the V8 heap limit is exceeded, triggering an OOM crash.

The attack requires local access to the vulnerable endpoints but does not require authentication or user interaction, making it straightforward to exploit in environments where the MCP server is accessible.

Root Cause

The root cause is missing input validation on the HTTP request body size in the packages/mcp-server/src/http-server.ts file. The original implementation used Node.js's standard request event handling to accumulate body chunks into a string without checking the cumulative size against any threshold. This allows unbounded memory allocation proportional to the attacker-controlled request payload size.

Attack Vector

The attack vector is local network access to the MCP HTTP server endpoints. An attacker can exploit this vulnerability by:

1. Identifying an exposed Next AI Draw.io instance with the MCP server running
2. Sending a POST request to /api/state, /api/restore, or /api/history-svg endpoints
3. Including an extremely large request body (500 MiB or more)
4. The server attempts to buffer the entire payload in memory
5. V8 heap exhaustion triggers an OOM error, crashing the MCP server process

The security patch implements a readBody helper function that tracks cumulative chunk size and returns HTTP 413 (Payload Too Large) when the 10 MiB limit is exceeded:

const MAX_BODY_BYTES = 10 * 1024 * 1024 // 10 MiB

function readBody(
    req: http.IncomingMessage,
    res: http.ServerResponse,
    cb: (body: string) => void,
): void {
    let body = ""
    let size = 0
    req.on("data", (chunk: Buffer) => {
        size += chunk.length
        if (size > MAX_BODY_BYTES) {
            res.writeHead(413, { "Content-Type": "application/json" })
            res.end(JSON.stringify({ error: "Payload too large" }))
            req.destroy()
            return
        }
        body += chunk
    })
    req.on("end", () => cb(body))
}

Source: GitHub Commit 31819f4

Detection Methods for CVE-2026-40608

Indicators of Compromise

• Unusually large POST requests (>10 MiB) targeting /api/state, /api/restore, or /api/history-svg endpoints
• MCP server process crashes with OOM errors in logs
• Repeated server restarts or service unavailability patterns
• Memory utilization spikes followed by process termination

Detection Strategies

• Monitor HTTP request body sizes for POST requests to MCP server endpoints and alert on requests exceeding normal operational thresholds
• Implement application-level logging to track memory allocation patterns in the Node.js process
• Configure process monitoring to detect unexpected MCP server crashes and correlate with incoming request logs
• Deploy web application firewall rules to block oversized request bodies before they reach the application

Monitoring Recommendations

• Enable memory profiling and heap size monitoring for Node.js processes running the MCP server
• Set up alerting on HTTP 413 responses if using the patched version, as these may indicate exploitation attempts
• Monitor for repeated connection attempts from single sources sending large payloads
• Track service availability metrics for the MCP server component

How to Mitigate CVE-2026-40608

Immediate Actions Required

• Upgrade Next AI Draw.io to version 0.4.15 or later immediately
• Implement network-level request size limits using reverse proxy or load balancer configurations
• Restrict access to the MCP server endpoints to trusted networks only
• Enable rate limiting on the affected API endpoints

Patch Information

The vulnerability is fixed in Next AI Draw.io version 0.4.15. The patch introduces a MAX_BODY_BYTES constant set to 10 MiB and a new readBody helper function that validates incoming chunk sizes against this limit. When exceeded, the server responds with HTTP 413 and destroys the request, preventing memory exhaustion.

For detailed patch information, see the GitHub Security Advisory GHSA-9q7h-wgfw-p378 and the commit implementing the fix.

Workarounds

• Deploy a reverse proxy (nginx, HAProxy) in front of the MCP server with request body size limits configured
• Implement network segmentation to restrict access to the MCP server from untrusted networks
• Use a web application firewall to enforce maximum request body sizes at the edge
• Monitor and automatically restart the MCP server process if crashes are detected while working toward patching

# Configuration example - nginx request body size limit
# Add to nginx server or location block for MCP endpoints
client_max_body_size 10m;

# Or for specific location blocks:
location /api/state {
    client_max_body_size 10m;
    proxy_pass http://mcp-server:3000;
}

location /api/restore {
    client_max_body_size 10m;
    proxy_pass http://mcp-server:3000;
}

location /api/history-svg {
    client_max_body_size 10m;
    proxy_pass http://mcp-server:3000;
}