Skip to main content

NestJS platform-fastify CVE-2026-54281

HIGH
Incorrect Authorization (CWE-863)
2026-06-15 https://github.com/nestjs/nest GHSA-6v32-fjc9-9qf6
8.7
CVSS 4.0 · Vendor: https://github.com/nestjs/nest
Share

Severity by source

Vendor (https://github.com/nestjs/nest) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.4 CRITICAL

Description states unauthenticated remote bypass on default config with no user interaction; bypassed auth typically exposes data read/write (C:H/I:H) with limited availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/nestjs/nest).

CVSS VectorVendor: https://github.com/nestjs/nest

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Analysis Updated
Jun 22, 2026 - 22:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 22, 2026 - 22:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 22, 2026 - 22:23 vuln.today
cvss_changed
CVSS changed
Jun 22, 2026 - 22:23 NVD
8.7 (HIGH)
CVE Published
Jun 22, 2026 - 06:03 cve.org
HIGH
Source Code Evidence Fetched
Jun 15, 2026 - 21:20 vuln.today
Analysis Generated
Jun 15, 2026 - 21:20 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 10 npm packages depend on @nestjs/platform-fastify (2 direct, 8 indirect)

Ecosystem-wide dependent count for version 11.1.24.

DescriptionCVE.org

Impact

An authentication bypass vulnerability exists in @nestjs/platform-fastify (confirmed on version 11.1.24, the latest available release at time of report). When middleware is registered through NestJS's MiddlewareConsumer.forRoutes() API on the Fastify adapter, an unauthenticated client can bypass the Nest middleware registered for that route by simply appending a trailing slash (/) to the request URL.

This bypass works on the default Fastify adapter configuration - no special router options need to be enabled. Applications using the standard CRUD route shape (GET /resource and GET /resource/:id) are affected when they protect those routes with MiddlewareConsumer.forRoutes() middleware.

Patches

Fixed in @nestjs/platform-fastify@11.1.24

References

Kudos goes to @a-tt-om

AnalysisAI

Authentication bypass in @nestjs/platform-fastify versions 11.1.23 and earlier allows remote attackers to skip route-scoped middleware (including authentication and authorization checks) by simply appending a trailing slash to the request URL. The flaw affects default Fastify adapter configurations with standard CRUD routes registered via MiddlewareConsumer.forRoutes(), and no public exploit identified at time of analysis despite the trivially low exploitation effort.

Technical ContextAI

NestJS is a TypeScript server-side framework that supports either Express or Fastify as its underlying HTTP engine via adapter packages. The @nestjs/platform-fastify adapter binds Nest's MiddlewareConsumer.forRoutes() route patterns to Fastify's radix-tree router; the bug arises because Nest's route matcher and Fastify's router normalize trailing slashes differently, so a request such as GET /resource/ reaches the underlying handler without first traversing the middleware chain that was registered for GET /resource. This is a classic CWE-863 (Incorrect Authorization) inconsistency in URL canonicalization between two layers, where the security check and the dispatch decision use different views of the same path.

RemediationAI

Vendor-released patch: @nestjs/platform-fastify 11.1.24 - upgrade the dependency in package.json and redeploy, per the advisory at https://github.com/nestjs/nest/security/advisories/GHSA-6v32-fjc9-9qf6. If an immediate upgrade is not feasible, port the protected logic from MiddlewareConsumer middleware into NestJS Guards (which run inside the Nest execution context after route matching and are not subject to this slash-normalization gap), or place a reverse proxy in front of the application (for example nginx with 'merge_slashes on' and a rewrite that strips trailing slashes) so that /resource/ and /resource are canonicalized before reaching Fastify - note this changes URL semantics for any handler that legitimately distinguishes the two forms. As a narrower compensating control, duplicate the .forRoutes() registration with both '/path' and '/path/' patterns, accepting the maintenance burden of keeping the two lists in sync.

Share

CVE-2026-54281 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy