GHSA-6V32-FJC9-9QF6 Nest: Middleware Bypass on Fastify via Trailing Slash

Impact An authentication bypass vulnerability exists in @nestjs/platform-fastify confirmed on version 11.1.24, the latest available release at time of report. When middleware is registered through NestJS's MiddlewareConsumer.forRoutes API on the Fastify adapter, an unauthenticated client can bypa...

Incorrect Authorization

Overview @nestjs/platform-fastify is a Nest - modern, fast, powerful node.js web framework @platform-fastify Affected versions of this package are vulnerable to Incorrect Authorization via the MiddlewareConsumer.forRoutes API on the Fastify adapter. An attacker can gain unauthorized access to...

@bechara/crux (>=6.0.0 <=6.6.2), @cappa/cli (>=0.1.0 <=0.8.2) +11 more potentially affected by CVE-2026-6270 via @fastify/middie (>=9.0.2 <=9.3.1)

@fastify/middie NPM version =9.0.2, =6.0.0, =0.1.0, =0.1.0, =1.0.0, =1.0.11, =0.1.51, =1.0.36, =11.0.0, =1.3.0, =5.0.0, =0.6.1-dev, =1.1.48 Source cves: CVE-2026-6270 Source advisory: SNYK:JS-FASTIFYMIDDIE-16098213...

Nest Fastify HEAD Request Middleware Bypass

Impact In a NestJS application using @nestjs/platform-fastify, GET middleware can be bypassed because Fastify automatically redirects HEAD requests to the corresponding GET handlers if they exist. As a result: - Middleware will be completely skipped. - The HTTP response won't include a body since...

EUVD-2026-9034

A NestJS application using @nestjs/platform-fastify can allow bypass of authentication/authorization middleware when Fastify path-normalization options are enabled. This issue affects nest.Js: 11.1.13...

Incorrect Authorization

Overview @nestjs/platform-fastify is a Nest - modern, fast, powerful node.js web framework @platform-fastify Affected versions of this package are vulnerable to Incorrect Authorization when Fastify path-normalization options e.g., ignoreTrailingSlash, ignoreDuplicateSlashes, useSemicolonDelimiter...

CVE-2026-2293

A NestJS application using @nestjs/platform-fastify can allow bypass of authentication/authorization middleware when Fastify path-normalization options are enabled. This issue affects nest.Js: 11.1.13...

PT-2026-22347

Name of the Vulnerable Software and Affected Versions Nest.js version 11.1.13 Description A NestJS application utilizing the @nestjs/platform-fastify package may experience a bypass of authentication and authorization middleware when Fastify path-normalization options are enabled. This can...

Time-of-check Time-of-use (TOCTOU) Race Condition

Overview @nestjs/platform-fastify is a Nest - modern, fast, powerful node.js web framework @platform-fastify Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition in the URL encoding middleware, allowing it to be bypassed in certain configurations. An...

CVE-2025-69211

Nest is a framework for building scalable Node.js server-side applications. Versions prior to 11.1.11 have a Fastify URL encoding middleware bypass. A NestJS application is vulnerable if it uses @nestjs/platform-fastify; relies on NestMiddleware via MiddlewareConsumer for security checks...

@falkor/falkor-auth-server (=1.1.1), @figedi/sentry-fastify (=1.0.6) +6 more potentially affected by CVE-2022-41919 via fastify (>=4.0.2 <=4.10.0)

fastify NPM version =4.0.2, =0.0.2, =0.0.16 - verdaccio =6.0.0-6-next.52 Source cves: CVE-2022-41919 Source advisory: OSV:GHSA-3FJJ-P79J-C9HH...