Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.24, an authentication bypass vulnerability exists in @nestjs/platform-fastify. When middleware is registered through NestJS's MiddlewareConsumer.forRoutes() API on the Fastify adapter, an unauthenticated client can bypass the Nest middleware registered for that route by simply appending a trailing slash (/) to the request URL. This bypass works on the default Fastify adapter configuration. This vulnerability is fixed in 11.1.24.
PUBLISHED5.2CWE-863
Nest: Middleware Bypass on Fastify via Trailing Slash
Problem type
Affected products
nestjs
nest
< 11.1.24 - AFFECTED
References
GitHub Security Advisories
GHSA-6v32-fjc9-9qf6
Nest: Middleware Bypass on Fastify via Trailing Slash
https://github.com/advisories/GHSA-6v32-fjc9-9qf6Impact
An authentication bypass vulnerability exists in @nestjs/platform-fastify (confirmed on version 11.1.24, the latest available release at time of report). When middleware is registered through NestJS's MiddlewareConsumer.forRoutes() API on the Fastify adapter, an unauthenticated client can bypass the Nest middleware registered for that route by simply appending a trailing slash (/) to the request URL.
This bypass works on the default Fastify adapter configuration — no special router options need to be enabled. Applications using the standard CRUD route shape (GET /resource and GET /resource/:id) are affected when they protect those routes with MiddlewareConsumer.forRoutes() middleware.
Patches
Fixed in @nestjs/platform-fastify@11.1.24
References
Kudos goes to @a-tt-om
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-54281Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-54281",
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"dateUpdated": "2026-06-22T20:48:45.895Z",
"dateReserved": "2026-06-12T17:13:32.280Z",
"datePublished": "2026-06-22T20:48:45.895Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M",
"dateUpdated": "2026-06-22T20:48:45.895Z"
},
"title": "Nest: Middleware Bypass on Fastify via Trailing Slash",
"descriptions": [
{
"lang": "en",
"value": "Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.24, an authentication bypass vulnerability exists in @nestjs/platform-fastify. When middleware is registered through NestJS's MiddlewareConsumer.forRoutes() API on the Fastify adapter, an unauthenticated client can bypass the Nest middleware registered for that route by simply appending a trailing slash (/) to the request URL. This bypass works on the default Fastify adapter configuration. This vulnerability is fixed in 11.1.24."
}
],
"affected": [
{
"vendor": "nestjs",
"product": "nest",
"versions": [
{
"version": "< 11.1.24",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-863: Incorrect Authorization",
"cweId": "CWE-863",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/nestjs/nest/security/advisories/GHSA-6v32-fjc9-9qf6",
"name": "https://github.com/nestjs/nest/security/advisories/GHSA-6v32-fjc9-9qf6",
"tags": [
"x_refsource_CONFIRM"
]
}
],
"metrics": [
{}
]
}
}
}