Description
A NestJS application using @nestjs/platform-fastify can allow bypass of authentication/authorization middleware when Fastify path-normalization options are enabled.



This issue affects nest.Js: 11.1.13.
Published: 2026-02-27
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Authentication/Authorization Bypass
Action: Immediate Patch
AI Analysis

Impact

The flaw arises when a NestJS application uses the @nestjs/platform-fastify package with Fastify's path‑normalisation options turned on. The framework fails to invoke its validation pipeline before executing authentication and authorization middleware, allowing crafted HTTP requests to bypass those checks. This defect corresponds to identity management weaknesses (CWE‑551) and authorization bypass (CWE‑863). An attacker can therefore reach endpoints or resources that should be protected, exposing data or enabling actions that the user is not permitted to perform.

Affected Systems

Any Node.js deployment of NestJS 11.1.13 that imports @nestjs/platform-fastify is affected. The vulnerability applies to applications running on Linux, macOS, or Windows where Fastify path‑normalisation is enabled. Users deploying the open‑source NestJS framework must ensure they are not using this specific release with the default configuration.

Risk and Exploitability

With a CVSS score of 8.2, the vulnerability is high severity. The EPSS score is below 1 %, indicating a low likelihood of exploitation at present, and it is not listed in the CISA KEV catalog. Nevertheless, the attack path is simple: an adversary can send specially crafted HTTP requests to a publicly reachable NestJS instance, which will be processed without the normal authentication and authorization checks. No special privileges or network access beyond the ability to reach the target server are required.

Generated by OpenCVE AI on April 18, 2026 at 10:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NestJS to version 11.1.14 or later, which restores proper validation before authentication and authorization checks.
  • If an upgrade cannot be performed immediately, disable Fastify’s path‑normalisation options in the server configuration to prevent the bypass path.
  • Audit the application to confirm that all authentication and authorization middleware execute before any route handlers or proxies, and correct any ordering or scope errors.

Generated by OpenCVE AI on April 18, 2026 at 10:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r4wm-x892-vjmx Nest has a Fastify URL Encoding Middleware Bypass
History

Tue, 14 Apr 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Nestjs
Nestjs nest
CPEs cpe:2.3:a:nestjs:nest:11.1.13:*:*:*:*:node.js:*:*
Vendors & Products Nestjs
Nestjs nest
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 03 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-551
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

threat_severity

Important

Fri, 27 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
Description A NestJS application using @nestjs/platform-fastify can allow bypass of authentication/authorization middleware when Fastify path-normalization options are enabled. This issue affects nest.Js: 11.1.13.
Title NestJS 11.1.13 - Lack of data validation allowing authentication/authorization bypass
First Time appeared Nest.js
Nest.js nest.js
Weaknesses CWE-863
CPEs cpe:2.3:a:nest.js:nest.js:11.1.13:*:ios:*:*:*:*:*
cpe:2.3:a:nest.js:nest.js:11.1.13:*:macos:*:*:*:*:*
cpe:2.3:a:nest.js:nest.js:11.1.13:*:windows:*:*:*:*:*
Vendors & Products Nest.js
Nest.js nest.js
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Nest.js Nest.js
Nestjs Nest
cve-icon MITRE

Status: PUBLISHED

Assigner: Fluid Attacks

Published:

Updated: 2026-02-27T17:07:59.779Z

Reserved: 2026-02-10T15:48:58.721Z

Link: CVE-2026-2293

cve-icon Vulnrichment

Updated: 2026-02-27T17:07:48.467Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T17:16:33.357

Modified: 2026-04-14T00:30:36.907

Link: CVE-2026-2293

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-27T16:15:11Z

Links: CVE-2026-2293 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:15:25Z

Weaknesses