Description
Nest is a framework for building scalable Node.js server-side applications. In versions 11.1.15 and below, a NestJS application using @nestjs/platform-fastify GET middleware can be bypassed because Fastify automatically redirects HEAD requests to the corresponding GET handlers (if they exist). As a result: middleware will be completely skipped, the HTTP response won't include a body (since the response is truncated when redirecting a HEAD request to a GET handler), and the actual handler will still be executed. This issue is fixed in version 11.1.16.
Published: 2026-03-20
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Middleware bypass via HEAD requests
Action: Patch Now
AI Analysis

Impact

The vulnerability arises from Fastify's automatic conversion of HEAD requests to GET handlers in NestJS applications that use @nestjs/platform-fastify GET middleware. When a HEAD request is received for an endpoint that has a corresponding GET handler, Fastify redirects the request to that handler. As a result, any GET‑specific middleware—such as authentication, logging, or rate limiting—is bypassed, the response body is omitted because the HEAD response is truncated, and the original GET handler executes as if the request were a normal GET. This behavior is captured by CWE‑670, which denotes a violation of intended authorization or flow control.

Affected Systems

Affected systems are NestJS applications built with the @nestjs/platform-fastify package running version 11.1.15 or earlier. The impact applies to the NestJS framework core library, which is typically deployed in Node.js runtime environments. Versions 11.1.16 and later contain the fix and are not affected.

Risk and Exploitability

The CVSS base score is 8.7, indicating high severity, while the EPSS score is below 1% and the vulnerability is not listed in the CISA KEV catalog, suggesting low current exploitation probability. The most likely exploitation path involves an attacker sending a simple HEAD request to a publicly reachable NestJS endpoint that implements a GET handler, causing the middleware chain to be skipped and handler logic to run without the intended safeguards. Because the missing middleware can include authorization checks, the potential impact extends to unauthorized execution of the handler logic, as inferred from the description of the bypass.

Generated by OpenCVE AI on March 23, 2026 at 21:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official NestJS security patch by upgrading to version 11.1.16 or newer.
  • If HEAD requests are unnecessary for your application, configure the server or application to reject them.
  • Consider adding firewall or WAF rules to filter out unwanted HEAD traffic before it reaches the application.

Generated by OpenCVE AI on March 23, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wf42-42fg-fg84 Nest Fastify HEAD Request Middleware Bypass
History

Mon, 23 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:nestjs:nest:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Fri, 20 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Nestjs
Nestjs nest
Vendors & Products Nestjs
Nestjs nest

Fri, 20 Mar 2026 04:45:00 +0000

Type Values Removed Values Added
Description Nest is a framework for building scalable Node.js server-side applications. In versions 11.1.15 and below, a NestJS application using @nestjs/platform-fastify GET middleware can be bypassed because Fastify automatically redirects HEAD requests to the corresponding GET handlers (if they exist). As a result: middleware will be completely skipped, the HTTP response won't include a body (since the response is truncated when redirecting a HEAD request to a GET handler), and the actual handler will still be executed. This issue is fixed in version 11.1.16.
Title Nest Fastify HEAD Request Middleware Bypass
Weaknesses CWE-670
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Nestjs Nest
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T15:48:23.564Z

Reserved: 2026-03-17T17:22:14.664Z

Link: CVE-2026-33011

cve-icon Vulnrichment

Updated: 2026-03-20T15:48:18.888Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T05:16:15.043

Modified: 2026-03-23T19:26:31.710

Link: CVE-2026-33011

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:09:17Z

Weaknesses