GHSA-6v32-fjc9-9qf6
Nest: Middleware Bypass on Fastify via Trailing Slash
Details
### Impact
An authentication bypass vulnerability exists in `@nestjs/platform-fastify` (confirmed on version `11.1.24`, the latest available release at time of report). When middleware is registered through NestJS's `MiddlewareConsumer.forRoutes()` API on the Fastify adapter, an unauthenticated client can bypass the Nest middleware registered for that route by simply appending a trailing slash (`/`) to the request URL.
This bypass works on the **default Fastify adapter configuration** — no special router options need to be enabled. Applications using the standard CRUD route shape (`GET /resource` and `GET /resource/:id`) are affected when they protect those routes with `MiddlewareConsumer.forRoutes()` middleware.
### Patches
Fixed in `@nestjs/platform-fastify@11.1.24`
### References
Kudos goes to @a-tt-om
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 11.1.24 npm install @nestjs/platform-fastify@11.1.24