GHSA-6v32-fjc9-9qf6High

Nest: Middleware Bypass on Fastify via Trailing Slash

Published
June 15, 2026
Last Modified
June 15, 2026

🔗 CVE IDs covered (1)

📋 Description

Impact

An authentication bypass vulnerability exists in @nestjs/platform-fastify (confirmed on version 11.1.24, the latest available release at time of report). When middleware is registered through NestJS's MiddlewareConsumer.forRoutes() API on the Fastify adapter, an unauthenticated client can bypass the Nest middleware registered for that route by simply appending a trailing slash (/) to the request URL.

This bypass works on the default Fastify adapter configuration — no special router options need to be enabled. Applications using the standard CRUD route shape (GET /resource and GET /resource/:id) are affected when they protect those routes with MiddlewareConsumer.forRoutes() middleware.

Patches

Fixed in @nestjs/[email protected]

References

Kudos goes to @a-tt-om

🎯 Affected products1

  • npm/@nestjs/platform-fastify:<= 11.1.23

🔗 References (2)