Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.2
NestJS: Authentication Bypass When Using Fastify Path Normalization
GHSA-7q64-3rg2-h9pf
Summary
A security issue in NestJS versions 11.1.13 and earlier can allow unauthorized access to certain areas of a web application when using a specific middleware. This could potentially allow hackers to access sensitive data without proper authentication. To fix this, update to a newer version of NestJS.
What to do
- Update nestjs platform-fastify to version 11.1.14.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| nestjs | platform-fastify | <= 11.1.14 | 11.1.14 |
Original title
Duplicate Advisory: Nest has a Fastify URL Encoding Middleware Bypass
Original description
## Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-r4wm-x892-vjmx. This link is maintained to preserve external references.
## Original Description
A NestJS application using @nestjs/platform-fastify can allow bypass of authentication/authorization middleware when Fastify path-normalization options are enabled.
This issue affects nest.Js: 11.1.13.
This advisory has been withdrawn because it is a duplicate of GHSA-r4wm-x892-vjmx. This link is maintained to preserve external references.
## Original Description
A NestJS application using @nestjs/platform-fastify can allow bypass of authentication/authorization middleware when Fastify path-normalization options are enabled.
This issue affects nest.Js: 11.1.13.
ghsa CVSS4.0
8.2
Vulnerability type
CWE-863
Incorrect Authorization
Published: 27 Feb 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026