NestJS platform-fastify CVE-2026-54281
HIGHSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description states unauthenticated remote bypass on default config with no user interaction; bypassed auth typically exposes data read/write (C:H/I:H) with limited availability impact.
Primary rating from Vendor (https://github.com/nestjs/nest).
CVSS VectorVendor: https://github.com/nestjs/nest
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7Blast Radius
ecosystem impact- 10 npm packages depend on @nestjs/platform-fastify (2 direct, 8 indirect)
Ecosystem-wide dependent count for version 11.1.24.
DescriptionCVE.org
Impact
An authentication bypass vulnerability exists in @nestjs/platform-fastify (confirmed on version 11.1.24, the latest available release at time of report). When middleware is registered through NestJS's MiddlewareConsumer.forRoutes() API on the Fastify adapter, an unauthenticated client can bypass the Nest middleware registered for that route by simply appending a trailing slash (/) to the request URL.
This bypass works on the default Fastify adapter configuration - no special router options need to be enabled. Applications using the standard CRUD route shape (GET /resource and GET /resource/:id) are affected when they protect those routes with MiddlewareConsumer.forRoutes() middleware.
Patches
Fixed in @nestjs/platform-fastify@11.1.24
References
Kudos goes to @a-tt-om
AnalysisAI
Authentication bypass in @nestjs/platform-fastify versions 11.1.23 and earlier allows remote attackers to skip route-scoped middleware (including authentication and authorization checks) by simply appending a trailing slash to the request URL. The flaw affects default Fastify adapter configurations with standard CRUD routes registered via MiddlewareConsumer.forRoutes(), and no public exploit identified at time of analysis despite the trivially low exploitation effort.
Technical ContextAI
NestJS is a TypeScript server-side framework that supports either Express or Fastify as its underlying HTTP engine via adapter packages. The @nestjs/platform-fastify adapter binds Nest's MiddlewareConsumer.forRoutes() route patterns to Fastify's radix-tree router; the bug arises because Nest's route matcher and Fastify's router normalize trailing slashes differently, so a request such as GET /resource/ reaches the underlying handler without first traversing the middleware chain that was registered for GET /resource. This is a classic CWE-863 (Incorrect Authorization) inconsistency in URL canonicalization between two layers, where the security check and the dispatch decision use different views of the same path.
RemediationAI
Vendor-released patch: @nestjs/platform-fastify 11.1.24 - upgrade the dependency in package.json and redeploy, per the advisory at https://github.com/nestjs/nest/security/advisories/GHSA-6v32-fjc9-9qf6. If an immediate upgrade is not feasible, port the protected logic from MiddlewareConsumer middleware into NestJS Guards (which run inside the Nest execution context after route matching and are not subject to this slash-normalization gap), or place a reverse proxy in front of the application (for example nginx with 'merge_slashes on' and a rewrite that strips trailing slashes) so that /resource/ and /resource are canonicalized before reaching Fastify - note this changes URL semantics for any handler that legitimately distinguishes the two forms. As a narrower compensating control, duplicate the .forRoutes() registration with both '/path' and '/path/' patterns, accepting the maintenance burden of keeping the two lists in sync.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-6v32-fjc9-9qf6