CVE-2025-69211
Fastify Middleware Bypass in NestJS Enables Unauthorized Access
Publication date: 2025-12-29
Last updated on: 2026-02-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nestjs | nest | to 11.1.11 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-367 | The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects NestJS applications using the @nestjs/platform-fastify package before version 11.1.11. It involves a Fastify URL encoding middleware bypass, where if the application uses NestMiddleware for security checks (like authentication or authorization) applied to specific routes via string paths or controllers, an attacker can bypass these middleware protections. This means unauthenticated users might access protected routes, restricted administrative endpoints could be accessed by lower-privileged users, and middleware that performs sanitization or validation might be skipped.
How can this vulnerability impact me? :
The impact of this vulnerability includes unauthorized access to protected routes and administrative endpoints by unauthenticated or lower-privileged users. It can lead to security checks being bypassed, allowing attackers to perform actions they should not be permitted to do, potentially compromising the application's security and integrity.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the @nestjs/platform-fastify package to version 11.1.11 or later, where the Fastify URL encoding middleware bypass is patched. Additionally, review your application to avoid relying solely on NestMiddleware for security checks on specific routes using string paths or controllers, and consider applying security middleware globally or using alternative methods to enforce authentication and authorization.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated users to bypass middleware protections such as authentication, authorization, and input validation on protected routes. As a result, sensitive or restricted administrative endpoints may become accessible to unauthorized users, potentially leading to unauthorized access to personal or sensitive data. Such unauthorized access could lead to non-compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive information. Therefore, exploitation of this vulnerability could negatively impact compliance with these regulations. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing if URL-encoded paths bypass middleware protections in your NestJS application using @nestjs/platform-fastify versions prior to 11.1.11. Specifically, you can send HTTP requests with URL-encoded characters in the path to routes protected by middleware (e.g., an admin route) and observe if the middleware is bypassed. For example, if your protected route is '/admin', try accessing '/%61dmin' (where '%61' is the URL-encoded 'a') and check if the request is allowed without authentication or authorization. A simple curl command to test this could be: curl -i -X GET http://yourserver/%61dmin. If the middleware is bypassed, the response will indicate access without proper checks. Similarly, you can test other routes with encoded characters. This approach helps detect the TOCTOU race condition causing middleware bypass. [1, 2]