CVE-2026-54281
Deferred Deferred - Pending Action

Authentication Bypass in NestJS Fastify Adapter

Vulnerability report for CVE-2026-54281, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description

Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.24, an authentication bypass vulnerability exists in @nestjs/platform-fastify. When middleware is registered through NestJS's MiddlewareConsumer.forRoutes() API on the Fastify adapter, an unauthenticated client can bypass the Nest middleware registered for that route by simply appending a trailing slash (/) to the request URL. This bypass works on the default Fastify adapter configuration. This vulnerability is fixed in 11.1.24.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-06-24
Generated
2026-07-13
AI Q&A
2026-06-23
EPSS Evaluated
2026-07-11
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
nestjs nest to 11.1.24 (exc)
nestjs platform_fastify to 11.1.24 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows an unauthenticated client to bypass authentication middleware by appending a trailing slash to the request URL, potentially granting unauthorized access to protected resources.

Such unauthorized access could lead to exposure or compromise of sensitive data, which may impact compliance with data protection regulations like GDPR and HIPAA that require strict access controls and protection of personal or health information.

Therefore, this vulnerability could negatively affect compliance with these standards by undermining authentication mechanisms and increasing the risk of data breaches.

Executive Summary

This vulnerability exists in the NestJS framework, specifically in the @nestjs/platform-fastify package before version 11.1.24. It allows an unauthenticated client to bypass the authentication middleware registered for certain routes when using the Fastify adapter. The bypass occurs if the client appends a trailing slash (/) to the request URL, causing the middleware to be skipped under the default Fastify configuration.

Impact Analysis

This vulnerability can allow unauthorized users to access protected routes or resources without proper authentication by exploiting the trailing slash bypass. This could lead to unauthorized access to sensitive data or functionality, potentially compromising the security of applications built with the affected NestJS versions.

Mitigation Strategies

To mitigate this vulnerability, update the @nestjs/platform-fastify package to version 11.1.24 or later, where the authentication bypass issue has been fixed.

Additionally, review your middleware registration using MiddlewareConsumer.forRoutes() on the Fastify adapter to ensure no unauthenticated access is possible via trailing slashes in request URLs.

Detection Guidance

This vulnerability occurs when middleware registered via NestJS's MiddlewareConsumer.forRoutes() API on the Fastify adapter can be bypassed by appending a trailing slash (/) to the request URL.

To detect this vulnerability on your system or network, you can test the affected routes by sending HTTP requests both with and without a trailing slash and observe if the middleware is bypassed.

For example, you can use curl commands to test the behavior:

  • curl -i http://yourserver/yourroute
  • curl -i http://yourserver/yourroute/

If the request with the trailing slash bypasses authentication or middleware checks that the request without the trailing slash does not, your system is vulnerable.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54281. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart