Main Vulnerability Database Vulnerabilities #VU134473

Incorrect authorization in nest - #VU134473

Published: June 12, 2026

Vulnerability identifier: #VU134473

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-863

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: nestjs

Affected software:
nest

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass authentication.

The vulnerability exists due to improper access control in MiddlewareConsumer.forRoutes() middleware handling in the Fastify adapter when handling requests with a trailing slash appended to the URL. A remote attacker can send a specially crafted request to bypass authentication.

This affects applications using the standard CRUD route shape when those routes are protected with MiddlewareConsumer.forRoutes() middleware on the default Fastify adapter configuration.

Remediation

Install security update from vendor's website.

Sources

https://github.com/nestjs/nest/security/advisories/GHSA-6v32-fjc9-9qf6

Incorrect authorization in nest - #VU134473

Detailed vulnerability description

Remediation

Sources

Please verify you're human