Main Vulnerability Database SB2026061274

SB2026061274 - Middleware bypass on fastify via trailing slash in NestJS Nest

Published: June 12, 2026

Security Bulletin ID SB2026061274

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Incorrect authorization (CVE-ID: N/A)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to bypass authentication.

The vulnerability exists due to improper access control in MiddlewareConsumer.forRoutes() middleware handling in the Fastify adapter when handling requests with a trailing slash appended to the URL. A remote attacker can send a specially crafted request to bypass authentication.

This affects applications using the standard CRUD route shape when those routes are protected with MiddlewareConsumer.forRoutes() middleware on the default Fastify adapter configuration.

Remediation

Install update from vendor's website.

References

https://github.com/nestjs/nest/security/advisories/GHSA-6v32-fjc9-9qf6