CVE-2025-69211
published 2025-12-29CVE-2025-69211: Nest is a framework for building scalable Node.js server-side applications. Versions prior to 11.1.11 have a Fastify URL encoding middleware bypass. A NestJS…
PriorityP351high7.4CVSS 3.1
AVNACHPRNUINSUCHIHAN
EPSS
0.36%
27.4th percentile
Nest is a framework for building scalable Node.js server-side applications. Versions prior to 11.1.11 have a Fastify URL encoding middleware bypass. A NestJS application is vulnerable if it uses `@nestjs/platform-fastify`; relies on `NestMiddleware` (via `MiddlewareConsumer`) for security checks (authentication, authorization, etc.), or through `app.use()`; and applies middleware to specific routes using string paths or controllers (e.g., `.forRoutes('admin')`). Exploitation can result in unauthenticated users accessing protected routes, restricted administrative endpoints becoming accessible to lower-privileged users, and/or middleware performing sanitization or validation being skipped. This issue is patched in `@nestjs/[email protected]`.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nestjs | nest | < 11.1.11 | 11.1.11 |
| nestjs | platform-fastify | >= 0 < 11.1.11 | 11.1.11 |
CVSS provenance
nvdv3.17.4HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat6.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
nestjs: NestJS framework: Security bypass allows unauthorized access to protected routes
vendor_redhat·2025-12-29·CVSS 6.9
CVE-2025-69211 [MEDIUM] CWE-367 nestjs: NestJS framework: Security bypass allows unauthorized access to protected routes
nestjs: NestJS framework: Security bypass allows unauthorized access to protected routes
Nest is a framework for building scalable Node.js server-side applications. Versions prior to 11.1.11 have a Fastify URL encoding middleware bypass. A NestJS application is vulnerable if it uses `@nestjs/platform-fastify`; relies on `NestMiddleware` (via `MiddlewareConsumer`) for security checks (authentication, authorization, etc.), or through `app.use()`; and applies middleware to specific routes using string paths or controllers (e.g., `.forRoutes('admin')`). Exploitation can result in unauthenticated users accessing protected routes, restricted administrative endpoints becoming accessible to lower-privileged users, and/or middleware performing sanitization or validation being skipped. This issue i
OSV
Nest has a Fastify URL Encoding Middleware Bypass (TOCTOU)
osv·2025-12-30
CVE-2025-69211 [MEDIUM] Nest has a Fastify URL Encoding Middleware Bypass (TOCTOU)
Nest has a Fastify URL Encoding Middleware Bypass (TOCTOU)
A NestJS application is vulnerable if it meets all of the following criteria:
1. Platform: Uses `@nestjs/platform-fastify`.
2. Security Mechanism: Relies on `NestMiddleware` (via `MiddlewareConsumer`) for security checks (authentication, authorization, etc.), or through `app.use()`
3. Routing: Applies middleware to specific routes using string paths or controllers (e.g., `.forRoutes('admin')`).
Example Vulnerable Config:
```ts
// app.module.ts
export class AppModule implements NestModule {
configure(consumer: MiddlewareConsumer) {
consumer
.apply(AuthMiddleware) // Security check
.forRoutes('admin'); // Vulnerable: Path-based restriction
}
}
```
Attack Vector:
- Target Route: `/admin`
- Middleware Path: `admin`
- Attack Reques
GHSA
Nest has a Fastify URL Encoding Middleware Bypass (TOCTOU)
ghsa·2025-12-30
CVE-2025-69211 [MEDIUM] CWE-367 Nest has a Fastify URL Encoding Middleware Bypass (TOCTOU)
Nest has a Fastify URL Encoding Middleware Bypass (TOCTOU)
A NestJS application is vulnerable if it meets all of the following criteria:
1. Platform: Uses `@nestjs/platform-fastify`.
2. Security Mechanism: Relies on `NestMiddleware` (via `MiddlewareConsumer`) for security checks (authentication, authorization, etc.), or through `app.use()`
3. Routing: Applies middleware to specific routes using string paths or controllers (e.g., `.forRoutes('admin')`).
Example Vulnerable Config:
```ts
// app.module.ts
export class AppModule implements NestModule {
configure(consumer: MiddlewareConsumer) {
consumer
.apply(AuthMiddleware) // Security check
.forRoutes('admin'); // Vulnerable: Path-based restriction
}
}
```
Attack Vector:
- Target Route: `/admin`
- Middleware Path: `admin`
- Attack Reques
No detection rules found.
No public exploits indexed.
2025-12-29
Published