cbcvebase.

Nestjs Platform-Fastify vulnerabilities

4 known vulnerabilities affecting nestjs/platform-fastify.

Total CVEs
4
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH3MEDIUM1

Vulnerabilities

Page 1 of 1
CVE-2026-54281P2HIGH≥ 0, < 11.1.242026-06-15
CVE-2026-54281 [HIGH] CWE-863 Nest: Middleware Bypass on Fastify via Trailing Slash Nest: Middleware Bypass on Fastify via Trailing Slash ### Impact An authentication bypass vulnerability exists in `@nestjs/platform-fastify` (confirmed on version `11.1.24`, the latest available release at time of report). When middleware is registered through NestJS's `MiddlewareConsumer.forRoutes()` API on the Fastify adapter, an unauthenticated client can bypass the Nest middleware registered for that route
ghsa
CVE-2026-2293P2HIGH≥ 0, < 11.1.142026-03-02
CVE-2026-2293 [HIGH] CWE-863 Nest has a Fastify URL Encoding Middleware Bypass Nest has a Fastify URL Encoding Middleware Bypass ### Impact _What kind of vulnerability is it? Who is impacted?_ A NestJS application using `@nestjs/platform-fastify` can allow bypass of any middleware when Fastify path-normalization options (e.g., `ignoreTrailingSlash`, `ignoreDuplicateSlashes`, `useSemicolonDelimiter`) are enabled. In affected route-scoped middleware setups, variant paths may skip middleware chec
ghsaosv
CVE-2025-69211P3MEDIUM≥ 0, < 11.1.112025-12-30
CVE-2025-69211 [MEDIUM] CWE-367 Nest has a Fastify URL Encoding Middleware Bypass (TOCTOU) Nest has a Fastify URL Encoding Middleware Bypass (TOCTOU) A NestJS application is vulnerable if it meets all of the following criteria: 1. Platform: Uses `@nestjs/platform-fastify`. 2. Security Mechanism: Relies on `NestMiddleware` (via `MiddlewareConsumer`) for security checks (authentication, authorization, etc.), or through `app.use()` 3. Routing: Applies middleware to specific routes using string pa
ghsaosv
CVE-2026-33011P3HIGH≥ 0, < 11.1.162026-03-17
CVE-2026-33011 [HIGH] CWE-670 Nest Fastify HEAD Request Middleware Bypass Nest Fastify HEAD Request Middleware Bypass ### Impact In a NestJS application using `@nestjs/platform-fastify`, GET middleware can be bypassed because Fastify automatically redirects HEAD requests to the corresponding GET handlers (if they exist). As a result: - Middleware will be completely skipped. - The HTTP response won't include a body (since the response is truncated when redirecting a HEAD request to a GET hand
ghsaosv
Nestjs Platform-Fastify vulnerabilities | cvebase