Description
Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.24, an authentication bypass vulnerability exists in @nestjs/platform-fastify. When middleware is registered through NestJS's MiddlewareConsumer.forRoutes() API on the Fastify adapter, an unauthenticated client can bypass the Nest middleware registered for that route by simply appending a trailing slash (/) to the request URL. This bypass works on the default Fastify adapter configuration. This vulnerability is fixed in 11.1.24.
Published: 2026-06-22
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The bug allows an unauthenticated client to bypass authentication middleware in Nest applications that use the Fastify adapter by simply adding a trailing slash to the request URL. This results in a full authentication bypass for the protected route, giving attackers the ability to execute actions that should require valid credentials, thereby compromising confidentiality, integrity, and availability of the system. The weakness is an improper access control flaw and is identified as CWE-863.

Affected Systems

The vulnerability affects the Nest framework, specifically the @nestjs/platform-fastify package, on all versions prior to 11.1.24. Any application that registers middleware through NestJS's MiddlewareConsumer.forRoutes() API while running a Fastify adapter without additional path checks is susceptible.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity impact. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it remotely by sending a request with a trailing slash to a protected endpoint, bypassing authentication without needing any credentials. This short and straightforward attack path makes it likely that the vulnerability will be leveraged by remote threat actors.

Generated by OpenCVE AI on June 22, 2026 at 23:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade @nestjs/platform-fastify to version 11.1.24 or newer to apply the vendor’s fix.
  • If an upgrade is not immediately possible, remove or replace the vulnerable middleware on vulnerable routes with an implementation that explicitly rejects URLs ending with a trailing slash, or add a guard that normalizes paths before authentication.
  • Implement monitoring for requests that contain trailing slashes against protected routes and log or reject them to detect and prevent potential exploitation.

Generated by OpenCVE AI on June 22, 2026 at 23:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6v32-fjc9-9qf6 Nest: Middleware Bypass on Fastify via Trailing Slash
History

Tue, 23 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Nestjs
Nestjs nest
Vendors & Products Nestjs
Nestjs nest

Mon, 22 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.24, an authentication bypass vulnerability exists in @nestjs/platform-fastify. When middleware is registered through NestJS's MiddlewareConsumer.forRoutes() API on the Fastify adapter, an unauthenticated client can bypass the Nest middleware registered for that route by simply appending a trailing slash (/) to the request URL. This bypass works on the default Fastify adapter configuration. This vulnerability is fixed in 11.1.24.
Title Nest: Middleware Bypass on Fastify via Trailing Slash
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Nestjs Nest
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T20:48:45.895Z

Reserved: 2026-06-12T17:13:32.280Z

Link: CVE-2026-54281

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T01:15:16Z

Weaknesses