CVE-2026-33011
Received Received - Intake
Middleware Bypass in NestJS @nestjs/platform-fastify via HEAD Requests

Publication date: 2026-03-20

Last updated on: 2026-03-23

Assigner: GitHub, Inc.

Description
Nest is a framework for building scalable Node.js server-side applications. In versions 11.1.15 and below, a NestJS application using @nestjs/platform-fastify GET middleware can be bypassed because Fastify automatically redirects HEAD requests to the corresponding GET handlers (if they exist). As a result: middleware will be completely skipped, the HTTP response won't include a body (since the response is truncated when redirecting a HEAD request to a GET handler), and the actual handler will still be executed. This issue is fixed in version 11.1.16.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33011
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nestjs nest to 11.1.16 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-670 The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33011 is a vulnerability in NestJS applications using the @nestjs/platform-fastify package, versions 11.1.15 and below. The issue occurs because Fastify automatically redirects HTTP HEAD requests to the corresponding GET handlers if they exist. However, middleware registered for GET requests is bypassed during this redirection, meaning the middleware does not execute for HEAD requests even though the GET handler does.

As a result, the middleware logic is completely skipped for HEAD requests, and the HTTP response to the HEAD request does not include a body because the response is truncated during the redirection. This can cause security or functionality issues where middleware is expected to run on all requests.

This vulnerability was fixed in version 11.1.16 by updating the middleware logic to treat HEAD requests as equivalent to GET requests, ensuring middleware runs correctly for both.

Impact Analysis

This vulnerability can impact you by allowing middleware to be bypassed during HEAD requests in NestJS applications using the affected versions of @nestjs/platform-fastify. Middleware often handles important tasks such as authentication, logging, input validation, or security checks.

If middleware is skipped, security controls or other critical processing may not be applied, potentially exposing the application to unauthorized access, data leakage, or other security risks.

Additionally, the HTTP response to HEAD requests will lack a body due to the truncation caused by the redirection, which may affect application functionality or client behavior.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by observing whether HTTP HEAD requests to your NestJS application using @nestjs/platform-fastify are bypassing middleware execution. Since Fastify redirects HEAD requests to GET handlers, middleware registered for GET requests may be skipped during HEAD requests.

To detect this behavior, you can send HTTP HEAD requests to endpoints that have GET middleware and check if the middleware logic is executed or not.

Example commands using curl to test this behavior:

  • curl -I -X HEAD http://your-nestjs-app/your-get-endpoint
  • curl -X GET http://your-nestjs-app/your-get-endpoint

Compare the responses and logs for HEAD and GET requests. If middleware is skipped on HEAD requests but runs on GET requests, the vulnerability is present.

Mitigation Strategies

The immediate and recommended mitigation is to upgrade the @nestjs/platform-fastify package to version 11.1.16 or later, where the issue is fixed.

This fix ensures that middleware registered for GET requests will also be executed for HEAD requests, preventing middleware bypass.

If upgrading immediately is not possible, consider implementing explicit middleware handling for HEAD requests as a temporary workaround, although this is less ideal.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33011. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart