Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.2
NestJS with Fastify can bypass security middleware checks
CVE-2026-2293
GHSA-r4wm-x892-vjmx
Summary
A bug in NestJS using Fastify can allow some URLs to bypass security checks and reach protected areas of the app. This happens when certain settings are enabled, which can lead to unauthorized access. To fix, update to @nestjs/[email protected] or later.
What to do
- Update nestjs platform-fastify to version 11.1.14.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| nestjs | platform-fastify | <= 11.1.13 | 11.1.14 |
Original title
Nest has a Fastify URL Encoding Middleware Bypass
Original description
### Impact
_What kind of vulnerability is it? Who is impacted?_
A NestJS application using `@nestjs/platform-fastify` can allow bypass of any middleware when Fastify path-normalization options (e.g., `ignoreTrailingSlash`, `ignoreDuplicateSlashes`, `useSemicolonDelimiter`) are enabled. In affected route-scoped middleware setups, variant paths may skip middleware checks while still reaching the protected handler.
The bug is a path canonicalization mismatch between middleware matching and route matching in Nest’s Fastify adapter.
Nest passes Fastify routerOptions (such as `ignoreTrailingSlash`, `ignoreDuplicateSlashes`, `useSemicolonDelimiter`) to the Fastify router in packages/platform-fastify/adapters/fastify-adapter.ts:253.
But middleware execution is decided by a separate regex check over `req.originalUrl` in packages/platform-fastify/adapters/fastify-adapter.ts:706 and packages/platform-fastify/adapters/fastify-adapter.ts:713.
If that regex does not match, Nest does `next()` and skips the middleware (packages/platform-fastify/adapters/fastify-adapter.ts:714), while Fastify may still normalize the same path and route it to the protected handler. So the vulnerability exists because security checks (middleware) and request dispatch(router) use different URL interpretations.
This is a fail-open design issue (inconsistent normalization), not just a bad app config: non-default router options make the mismatch reachable.
### Patches
Fixed in `@nestjs/[email protected]`
### References
Credit goes to Fluidattacks ([Cristian Vargas](https://www.linkedin.com/in/cvmiracle/)) https://fluidattacks.com/advisories/neton
_What kind of vulnerability is it? Who is impacted?_
A NestJS application using `@nestjs/platform-fastify` can allow bypass of any middleware when Fastify path-normalization options (e.g., `ignoreTrailingSlash`, `ignoreDuplicateSlashes`, `useSemicolonDelimiter`) are enabled. In affected route-scoped middleware setups, variant paths may skip middleware checks while still reaching the protected handler.
The bug is a path canonicalization mismatch between middleware matching and route matching in Nest’s Fastify adapter.
Nest passes Fastify routerOptions (such as `ignoreTrailingSlash`, `ignoreDuplicateSlashes`, `useSemicolonDelimiter`) to the Fastify router in packages/platform-fastify/adapters/fastify-adapter.ts:253.
But middleware execution is decided by a separate regex check over `req.originalUrl` in packages/platform-fastify/adapters/fastify-adapter.ts:706 and packages/platform-fastify/adapters/fastify-adapter.ts:713.
If that regex does not match, Nest does `next()` and skips the middleware (packages/platform-fastify/adapters/fastify-adapter.ts:714), while Fastify may still normalize the same path and route it to the protected handler. So the vulnerability exists because security checks (middleware) and request dispatch(router) use different URL interpretations.
This is a fail-open design issue (inconsistent normalization), not just a bad app config: non-default router options make the mismatch reachable.
### Patches
Fixed in `@nestjs/[email protected]`
### References
Credit goes to Fluidattacks ([Cristian Vargas](https://www.linkedin.com/in/cvmiracle/)) https://fluidattacks.com/advisories/neton
nvd CVSS4.0
8.2
Vulnerability type
CWE-863
Incorrect Authorization
- https://github.com/nestjs/nest/
- https://github.com/nestjs/nest/security/advisories/GHSA-r4wm-x892-vjmx
- https://nvd.nist.gov/vuln/detail/CVE-2026-2293
- https://github.com/nestjs/nest/commit/fd8d073e0e048b185147209338ca7042e52c10ba
- https://github.com/advisories/GHSA-r4wm-x892-vjmx
- https://fluidattacks.com/advisories/neton
- https://github.com/nestjs/nest/releases/tag/v11.1.14
Published: 2 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026