CVE-2026-33011

CVE-2026-33011 affects Nest with @nestjs/platform-fastify: in versions 11.1.15 and earlier, Fastify’s HEAD-to-GET redirect can bypass GET middleware, causing middleware to be skipped while the GET handler still runs and the response lacks a body. The issue is fixed in version 11.1.16. Remediate b...

CVE-2026-33011 Nest Fastify HEAD Request Middleware Bypass

Nest is a framework for building scalable Node.js server-side applications. In versions 11.1.15 and below, a NestJS application using @nestjs/platform-fastify GET middleware can be bypassed because Fastify automatically redirects HEAD requests to the corresponding GET handlers if they exist. As a...

PT-2026-25990

Nest is a framework for building scalable Node.js server-side applications. In versions 11.1.15 and below, a NestJS application using @nestjs/platform-fastify GET middleware can be bypassed because Fastify automatically redirects HEAD requests to the corresponding GET handlers if they exist. As a...

CVE-2026-2880

A vulnerability in @fastify/middie versions 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware for example, app.use'/secret', auth. When Fastify router normalization options are enabled such as ignoreDuplicateSlashes, useSemicolonDelimiter, and related...

CVE-2025-69211

CVE-2025-69211 affects Nest.js applications using the Fastify platform integration before version 11.1.11. The issue is a bypass in the Fastify URL encoding middleware that can skip security checks implemented via NestMiddleware (via MiddlewareConsumer) or app.use(), particularly when middleware ...