Nest: Middleware Bypass on Fastify via Trailing Slash
Description
An authentication bypass in @nestjs/platform-fastify lets unauthenticated users skip middleware by appending a trailing slash to the request URL.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An authentication bypass in @nestjs/platform-fastify lets unauthenticated users skip middleware by appending a trailing slash to the request URL.
Vulnerability
An authentication bypass vulnerability exists in @nestjs/platform-fastify, confirmed on version 11.1.24 (the latest available release at time of report) and affecting all versions up to and including 11.1.23. When middleware is registered through the NestJS MiddlewareConsumer.forRoutes() API on the Fastify adapter, an unauthenticated client can bypass the middleware for that route by simply appending a trailing slash (/) to the request URL. This bypass works on the default Fastify adapter configuration — no special router options need to be enabled. Applications using standard CRUD route shapes such as GET /resource and GET /resource/:id are affected when they protect those routes with MiddlewareConsumer.forRoutes() middleware. [1][2]
Exploitation
An attacker needs only network access to the affected application — no authentication or special privileges are required. By sending an HTTP request to a protected route (e.g., GET /resource) with a trailing slash (GET /resource/), the Fastify adapter routes the request in a way that bypasses the Nest middleware stack registered via MiddlewareConsumer.forRoutes(). No user interaction or race condition is needed; the attack can be performed in a single request. [1][2]
Impact
Successful exploitation allows an unauthenticated attacker to bypass authentication or authorization middleware guarding protected routes. This can lead to unauthorized access to sensitive endpoints, resulting in potential information disclosure, privilege escalation, or other security consequences depending on the application logic behind the bypassed middleware. The compromise occurs at the route level, effectively removing the middleware protection intended for that path. [1][2]
Mitigation
The vulnerability was fixed in @nestjs/platform-fastify version 11.1.24 (the same version in which it was confirmed, indicating a corrected release). Users should upgrade to @nestjs/platform-fastify@11.1.24 or later. There is no mention of the vulnerability being listed on the CISA Known Exploited Vulnerabilities (KEV) catalog. No workarounds are documented in the available references; upgrading is the recommended mitigation. [1][2]
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
1d8a0ab829dddchore(release): publish v11.1.24 release
11 files changed · +17 −93
lerna.json+1 −1 modified@@ -1,5 +1,5 @@ { "packages": ["packages/*"], - "version": "11.1.23", + "version": "11.1.24", "$schema": "node_modules/lerna/schemas/lerna-schema.json" }
package-lock.json+0 −76 modified@@ -3235,82 +3235,6 @@ } } }, - "node_modules/@nestjs/common": { - "version": "11.1.22", - "resolved": "https://registry.npmjs.org/@nestjs/common/-/common-11.1.22.tgz", - "integrity": "sha512-mPNshGpl41vTtXoaOYzSZLiZAL9C08T+o/7DdtgATNPTFm6h1+UTg+mJo5ne3sDhqNx65y7gVGWVph/fbB9Hkw==", - "dev": true, - "license": "MIT", - "peer": true, - "dependencies": { - "file-type": "21.3.4", - "iterare": "1.2.1", - "load-esm": "1.0.3", - "tslib": "2.8.1", - "uid": "2.0.2" - }, - "funding": { - "type": "opencollective", - "url": "https://opencollective.com/nest" - }, - "peerDependencies": { - "class-transformer": ">=0.4.1", - "class-validator": ">=0.13.2", - "reflect-metadata": "^0.1.12 || ^0.2.0", - "rxjs": "^7.1.0" - }, - "peerDependenciesMeta": { - "class-transformer": { - "optional": true - }, - "class-validator": { - "optional": true - } - } - }, - "node_modules/@nestjs/core": { - "version": "11.1.22", - "resolved": "https://registry.npmjs.org/@nestjs/core/-/core-11.1.22.tgz", - "integrity": "sha512-Wy0KSQTeWiq+GZZQ3rnhSamqRztRBLWPWNeOlyIup7oVX5gnf+9ZyM8TUjUjy6chITomuNHVpHC6SH5WSb5hgg==", - "dev": true, - "hasInstallScript": true, - "license": "MIT", - "peer": true, - "dependencies": { - "@nuxt/opencollective": "0.4.1", - "fast-safe-stringify": "2.1.1", - "iterare": "1.2.1", - "path-to-regexp": "8.4.2", - "tslib": "2.8.1", - "uid": "2.0.2" - }, - "engines": { - "node": ">= 20" - }, - "funding": { - "type": "opencollective", - "url": "https://opencollective.com/nest" - }, - "peerDependencies": { - "@nestjs/common": "^11.0.0", - "@nestjs/microservices": "^11.0.0", - "@nestjs/platform-express": "^11.0.0", - "@nestjs/websockets": "^11.0.0", - "reflect-metadata": "^0.1.12 || ^0.2.0", - "rxjs": "^7.1.0" - }, - "peerDependenciesMeta": { - "@nestjs/microservices": { - "optional": true - }, - "@nestjs/platform-express": { - "optional": true - }, - "@nestjs/websockets": { - "optional": true - } - } - }, "node_modules/@nestjs/graphql": { "version": "13.4.2", "resolved": "https://registry.npmjs.org/@nestjs/graphql/-/graphql-13.4.2.tgz",
packages/common/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@nestjs/common", - "version": "11.1.23", + "version": "11.1.24", "description": "Nest - modern, fast, powerful node.js web framework (@common)", "author": "Kamil Mysliwiec", "homepage": "https://nestjs.com",
packages/core/package.json+2 −2 modified@@ -1,6 +1,6 @@ { "name": "@nestjs/core", - "version": "11.1.23", + "version": "11.1.24", "description": "Nest - modern, fast, powerful node.js web framework (@core)", "author": "Kamil Mysliwiec", "license": "MIT", @@ -39,7 +39,7 @@ "uid": "2.0.2" }, "devDependencies": { - "@nestjs/common": "11.1.23" + "@nestjs/common": "11.1.24" }, "peerDependencies": { "@nestjs/common": "^11.0.0",
packages/microservices/package.json+3 −3 modified@@ -1,6 +1,6 @@ { "name": "@nestjs/microservices", - "version": "11.1.23", + "version": "11.1.24", "description": "Nest - modern, fast, powerful node.js web framework (@microservices)", "author": "Kamil Mysliwiec", "license": "MIT", @@ -22,8 +22,8 @@ "tslib": "2.8.1" }, "devDependencies": { - "@nestjs/common": "11.1.23", - "@nestjs/core": "11.1.23" + "@nestjs/common": "11.1.24", + "@nestjs/core": "11.1.24" }, "peerDependencies": { "@grpc/grpc-js": "*",
packages/platform-express/package.json+3 −3 modified@@ -1,6 +1,6 @@ { "name": "@nestjs/platform-express", - "version": "11.1.23", + "version": "11.1.24", "description": "Nest - modern, fast, powerful node.js web framework (@platform-express)", "author": "Kamil Mysliwiec", "license": "MIT", @@ -25,8 +25,8 @@ "tslib": "2.8.1" }, "devDependencies": { - "@nestjs/common": "11.1.23", - "@nestjs/core": "11.1.23" + "@nestjs/common": "11.1.24", + "@nestjs/core": "11.1.24" }, "peerDependencies": { "@nestjs/common": "^11.0.0",
packages/platform-fastify/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@nestjs/platform-fastify", - "version": "11.1.23", + "version": "11.1.24", "description": "Nest - modern, fast, powerful node.js web framework (@platform-fastify)", "author": "Kamil Mysliwiec", "license": "MIT",
packages/platform-socket.io/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@nestjs/platform-socket.io", - "version": "11.1.23", + "version": "11.1.24", "description": "Nest - modern, fast, powerful node.js web framework (@platform-socket.io)", "author": "Kamil Mysliwiec", "license": "MIT",
packages/platform-ws/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@nestjs/platform-ws", - "version": "11.1.23", + "version": "11.1.24", "description": "Nest - modern, fast, powerful node.js web framework (@platform-ws)", "author": "Kamil Mysliwiec", "license": "MIT",
packages/testing/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@nestjs/testing", - "version": "11.1.23", + "version": "11.1.24", "description": "Nest - modern, fast, powerful node.js web framework (@testing)", "author": "Kamil Mysliwiec", "license": "MIT",
packages/websockets/package.json+3 −3 modified@@ -1,6 +1,6 @@ { "name": "@nestjs/websockets", - "version": "11.1.23", + "version": "11.1.24", "description": "Nest - modern, fast, powerful node.js web framework (@websockets)", "author": "Kamil Mysliwiec", "license": "MIT", @@ -18,8 +18,8 @@ "tslib": "2.8.1" }, "devDependencies": { - "@nestjs/common": "11.1.23", - "@nestjs/core": "11.1.23" + "@nestjs/common": "11.1.24", + "@nestjs/core": "11.1.24" }, "peerDependencies": { "@nestjs/common": "^11.0.0",
Vulnerability mechanics
Root cause
"Trailing-slash URL mismatch in the Fastify adapter causes NestJS middleware registered via MiddlewareConsumer.forRoutes() to be skipped."
Attack vector
An unauthenticated attacker sends a request to a protected route (e.g. `GET /resource`) with an appended trailing slash (`GET /resource/`). On the default Fastify adapter configuration, the NestJS middleware registered via `MiddlewareConsumer.forRoutes()` does not match the URL with the trailing slash, so the middleware is never executed and the request reaches the route handler without authentication or authorization checks. This bypass works for any route protected by Nest middleware when using `@nestjs/platform-fastify` [CWE-863].
What the fix does
The patch shown is a version bump across all NestJS packages from 11.1.23 to 11.1.24, including `@nestjs/platform-fastify`. The advisory states the fix is in `@nestjs/platform-fastify@11.1.24`, but the diff does not reveal the code-level change — it only updates package versions. The actual fix likely normalizes trailing slashes in the Fastify adapter's route matching so that middleware registered via `forRoutes()` correctly intercepts requests ending with `/`.
Preconditions
- configApplication uses @nestjs/platform-fastify as the HTTP adapter
- configMiddleware is registered through MiddlewareConsumer.forRoutes() to protect specific routes
- configNo custom Fastify router options that would normalize trailing slashes are enabled
- networkAttacker can send HTTP requests to the application
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.