Nestjs Platform-Fastify vulnerabilities
4 known vulnerabilities affecting nestjs/platform-fastify.
Total CVEs
4
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH3MEDIUM1
Vulnerabilities
Page 1 of 1
CVE-2026-54281P2HIGH≥ 0, < 11.1.242026-06-15
CVE-2026-54281 [HIGH] CWE-863 Nest: Middleware Bypass on Fastify via Trailing Slash
Nest: Middleware Bypass on Fastify via Trailing Slash
### Impact
An authentication bypass vulnerability exists in `@nestjs/platform-fastify` (confirmed on version `11.1.24`, the latest available release at time of report). When middleware is registered through NestJS's `MiddlewareConsumer.forRoutes()` API on the Fastify adapter, an unauthenticated client can bypass the Nest middleware registered for that route
ghsa
CVE-2026-2293P2HIGH≥ 0, < 11.1.142026-03-02
CVE-2026-2293 [HIGH] CWE-863 Nest has a Fastify URL Encoding Middleware Bypass
Nest has a Fastify URL Encoding Middleware Bypass
### Impact
_What kind of vulnerability is it? Who is impacted?_
A NestJS application using `@nestjs/platform-fastify` can allow bypass of any middleware when Fastify path-normalization options (e.g., `ignoreTrailingSlash`, `ignoreDuplicateSlashes`, `useSemicolonDelimiter`) are enabled. In affected route-scoped middleware setups, variant paths may skip middleware chec
ghsaosv
CVE-2025-69211P3MEDIUM≥ 0, < 11.1.112025-12-30
CVE-2025-69211 [MEDIUM] CWE-367 Nest has a Fastify URL Encoding Middleware Bypass (TOCTOU)
Nest has a Fastify URL Encoding Middleware Bypass (TOCTOU)
A NestJS application is vulnerable if it meets all of the following criteria:
1. Platform: Uses `@nestjs/platform-fastify`.
2. Security Mechanism: Relies on `NestMiddleware` (via `MiddlewareConsumer`) for security checks (authentication, authorization, etc.), or through `app.use()`
3. Routing: Applies middleware to specific routes using string pa
ghsaosv
CVE-2026-33011P3HIGH≥ 0, < 11.1.162026-03-17
CVE-2026-33011 [HIGH] CWE-670 Nest Fastify HEAD Request Middleware Bypass
Nest Fastify HEAD Request Middleware Bypass
### Impact
In a NestJS application using `@nestjs/platform-fastify`, GET middleware can be bypassed because Fastify automatically redirects HEAD requests to the corresponding GET handlers (if they exist).
As a result:
- Middleware will be completely skipped.
- The HTTP response won't include a body (since the response is truncated when redirecting a HEAD request to a GET hand
ghsaosv