CVE-2026-2293
published 2026-02-27CVE-2026-2293: A NestJS application using @nestjs/platform-fastify can allow bypass of authentication/authorization middleware when Fastify path-normalization options are…
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.67%
47.1th percentile
A NestJS application using @nestjs/platform-fastify can allow bypass of authentication/authorization middleware when Fastify path-normalization options are enabled.
This issue affects nest.Js: 11.1.13.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nest.js | nest.js | — | — |
| nestjs | nest | — | — |
| nestjs | platform-fastify | >= 0 < 11.1.14 | 11.1.14 |
Detection & IOCsextracted from sources · hover to see the quote
- →Authentication/authorization middleware bypass occurs when @nestjs/platform-fastify is used with Fastify path-normalization options enabled; monitor for unexpected access to protected routes via path-normalized requests ↗
- →A remote attacker can exploit path-normalization to bypass authentication and authorization middleware, gaining unauthorized access to protected resources ↗
- ·Vulnerability is only exploitable when Fastify path-normalization options are explicitly enabled in the NestJS application configuration; applications not using @nestjs/platform-fastify or not enabling path-normalization are not affected ↗
- ·Affected version is NestJS 11.1.13 specifically ↗
- ·Red Hat Developer Hub (rhdh/rhdh-hub-rhel9) and Red Hat OpenShift Container Platform 4 (openshift4/ose-agent-installer-ui-rhel9) packages are confirmed not affected ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.2HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat8.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Nest has a Fastify URL Encoding Middleware Bypass
ghsa·2026-03-02
CVE-2026-2293 [HIGH] CWE-863 Nest has a Fastify URL Encoding Middleware Bypass
Nest has a Fastify URL Encoding Middleware Bypass
### Impact
_What kind of vulnerability is it? Who is impacted?_
A NestJS application using `@nestjs/platform-fastify` can allow bypass of any middleware when Fastify path-normalization options (e.g., `ignoreTrailingSlash`, `ignoreDuplicateSlashes`, `useSemicolonDelimiter`) are enabled. In affected route-scoped middleware setups, variant paths may skip middleware checks while still reaching the protected handler.
The bug is a path canonicalization mismatch between middleware matching and route matching in Nest’s Fastify adapter.
Nest passes Fastify routerOptions (such as `ignoreTrailingSlash`, `ignoreDuplicateSlashes`, `useSemicolonDelimiter`) to the Fastify router in packages/platform-fastify/adapters/fastify-adapter.ts:253.
But middle
OSV
Nest has a Fastify URL Encoding Middleware Bypass
osv·2026-03-02
CVE-2026-2293 [HIGH] Nest has a Fastify URL Encoding Middleware Bypass
Nest has a Fastify URL Encoding Middleware Bypass
### Impact
_What kind of vulnerability is it? Who is impacted?_
A NestJS application using `@nestjs/platform-fastify` can allow bypass of any middleware when Fastify path-normalization options (e.g., `ignoreTrailingSlash`, `ignoreDuplicateSlashes`, `useSemicolonDelimiter`) are enabled. In affected route-scoped middleware setups, variant paths may skip middleware checks while still reaching the protected handler.
The bug is a path canonicalization mismatch between middleware matching and route matching in Nest’s Fastify adapter.
Nest passes Fastify routerOptions (such as `ignoreTrailingSlash`, `ignoreDuplicateSlashes`, `useSemicolonDelimiter`) to the Fastify router in packages/platform-fastify/adapters/fastify-adapter.ts:253.
But middle
Red Hat
nestjs: NestJS: Authentication bypass via Fastify path-normalization
vendor_redhat·2026-02-27·CVSS 8.2
CVE-2026-2293 [HIGH] CWE-551 nestjs: NestJS: Authentication bypass via Fastify path-normalization
nestjs: NestJS: Authentication bypass via Fastify path-normalization
A NestJS application using @nestjs/platform-fastify can allow bypass of authentication/authorization middleware when Fastify path-normalization options are enabled.
This issue affects nest.Js: 11.1.13.
A flaw was found in NestJS. When a NestJS application uses @nestjs/platform-fastify with Fastify path-normalization options enabled, a remote attacker can exploit this to bypass authentication and authorization middleware. This bypass allows unauthorized access to protected resources, compromising the application's security controls.
Package: rhdh/rhdh-hub-rhel9 (Red Hat Developer Hub) - Not affected
Package: openshift4/ose-agent-installer-ui-rhel9 (Red Hat OpenShift Container Platform 4) - Not affected
No detection rules found.
No public exploits indexed.
https://fluidattacks.com/advisories/netonhttps://github.com/nestjs/nest/https://github.com/nestjs/nest/releases/tag/v11.1.14https://access.redhat.com/security/cve/CVE-2026-2293https://bugzilla.redhat.com/show_bug.cgi?id=2443367https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-2293.json
2026-02-27
Published