Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-8wpr-639p-ccrj: Nest has a Fastify URL Encoding Middleware Bypass (TOCTOU)

A NestJS application is vulnerable if it meets all of the following criteria:

  1. Platform: Uses @nestjs/platform-fastify.
  2. Security Mechanism: Relies on NestMiddleware (via MiddlewareConsumer) for security checks (authentication, authorization, etc.), or through app.use()
  3. Routing: Applies middleware to specific routes using string paths or controllers (e.g., .forRoutes('admin')). Example Vulnerable Config:
// app.module.ts
export class AppModule implements NestModule {
  configure(consumer: MiddlewareConsumer) {
    consumer
      .apply(AuthMiddleware) // Security check
      .forRoutes('admin');   // Vulnerable: Path-based restriction
  }
}

Attack Vector:

  • Target Route: /admin
  • Middleware Path: admin
  • Attack Request: GET /%61dmin
  • Result: Middleware is skipped (no match on %61dmin), but controller for /admin is executed.

Consequences:

  • Authentication Bypass: Unauthenticated users can access protected routes.
  • Authorization Bypass: Restricted administrative endpoints become accessible to lower-privileged users.
  • Input Validation Bypass: Middleware performing sanitization or validation can be skipped.

Patches

Patched in @nestjs/platform-fastify@11.1.11

Resources

Credit goes to Hacktron AI for reporting this issue.

ghsa
Open in Source
#nodejs#js#git#auth
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2025-69211

Nest has a Fastify URL Encoding Middleware Bypass (TOCTOU)

Moderate severity GitHub Reviewed Published Dec 29, 2025 in nestjs/nest • Updated Dec 30, 2025

Package

npm @nestjs/platform-fastify (npm)

Affected versions

< 11.1.10

A NestJS application is vulnerable if it meets all of the following criteria:

  1. Platform: Uses @nestjs/platform-fastify.
  2. Security Mechanism: Relies on NestMiddleware (via MiddlewareConsumer) for security checks (authentication, authorization, etc.), or through app.use()
  3. Routing: Applies middleware to specific routes using string paths or controllers (e.g., .forRoutes(‘admin’)).
    Example Vulnerable Config:

// app.module.ts export class AppModule implements NestModule { configure(consumer: MiddlewareConsumer) { consumer .apply(AuthMiddleware) // Security check .forRoutes(‘admin’); // Vulnerable: Path-based restriction } }

Attack Vector:

  • Target Route: /admin
  • Middleware Path: admin
  • Attack Request: GET /%61dmin
  • Result: Middleware is skipped (no match on %61dmin), but controller for /admin is executed.

Consequences:

  • Authentication Bypass: Unauthenticated users can access protected routes.
  • Authorization Bypass: Restricted administrative endpoints become accessible to lower-privileged users.
  • Input Validation Bypass: Middleware performing sanitization or validation can be skipped.

Patches

Patched in @nestjs/platform-fastify@11.1.11

Resources

Credit goes to Hacktron AI for reporting this issue.

References

  • GHSA-8wpr-639p-ccrj
  • https://nvd.nist.gov/vuln/detail/CVE-2025-69211
  • nestjs/nest@c4cedda

Published to the GitHub Advisory Database

Dec 30, 2025

Last updated

Dec 30, 2025

ghsa: Latest News

GHSA-x4m5-4cw8-vc44: axios-cache-interceptor Vulnerable to Cache Poisoning via Ignored HTTP Vary Header
ghsa