CVE-2026-33011
Middleware Bypass in NestJS @nestjs/platform-fastify via HEAD Requests
Publication date: 2026-03-20
Last updated on: 2026-03-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nestjs | nest | to 11.1.16 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-670 | The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33011 is a vulnerability in NestJS applications using the @nestjs/platform-fastify package, versions 11.1.15 and below. The issue occurs because Fastify automatically redirects HTTP HEAD requests to the corresponding GET handlers if they exist. However, middleware registered for GET requests is bypassed during this redirection, meaning the middleware does not execute for HEAD requests even though the GET handler does.
As a result, the middleware logic is completely skipped for HEAD requests, and the HTTP response to the HEAD request does not include a body because the response is truncated during the redirection. This can cause security or functionality issues where middleware is expected to run on all requests.
This vulnerability was fixed in version 11.1.16 by updating the middleware logic to treat HEAD requests as equivalent to GET requests, ensuring middleware runs correctly for both.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing middleware to be bypassed during HEAD requests in NestJS applications using the affected versions of @nestjs/platform-fastify. Middleware often handles important tasks such as authentication, logging, input validation, or security checks.
If middleware is skipped, security controls or other critical processing may not be applied, potentially exposing the application to unauthorized access, data leakage, or other security risks.
Additionally, the HTTP response to HEAD requests will lack a body due to the truncation caused by the redirection, which may affect application functionality or client behavior.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by observing whether HTTP HEAD requests to your NestJS application using @nestjs/platform-fastify are bypassing middleware execution. Since Fastify redirects HEAD requests to GET handlers, middleware registered for GET requests may be skipped during HEAD requests.
To detect this behavior, you can send HTTP HEAD requests to endpoints that have GET middleware and check if the middleware logic is executed or not.
Example commands using curl to test this behavior:
- curl -I -X HEAD http://your-nestjs-app/your-get-endpoint
- curl -X GET http://your-nestjs-app/your-get-endpoint
Compare the responses and logs for HEAD and GET requests. If middleware is skipped on HEAD requests but runs on GET requests, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation is to upgrade the @nestjs/platform-fastify package to version 11.1.16 or later, where the issue is fixed.
This fix ensures that middleware registered for GET requests will also be executed for HEAD requests, preventing middleware bypass.
If upgrading immediately is not possible, consider implementing explicit middleware handling for HEAD requests as a temporary workaround, although this is less ideal.