CVE-2026-54281
Received Received - Intake
Authentication Bypass in NestJS Fastify Adapter

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description
Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.24, an authentication bypass vulnerability exists in @nestjs/platform-fastify. When middleware is registered through NestJS's MiddlewareConsumer.forRoutes() API on the Fastify adapter, an unauthenticated client can bypass the Nest middleware registered for that route by simply appending a trailing slash (/) to the request URL. This bypass works on the default Fastify adapter configuration. This vulnerability is fixed in 11.1.24.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-54281
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
nestjs nest to 11.1.24 (exc)
nestjs platform_fastify to 11.1.24 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the NestJS framework, specifically in the @nestjs/platform-fastify package before version 11.1.24. It allows an unauthenticated client to bypass the authentication middleware registered for certain routes when using the Fastify adapter. The bypass occurs if the client appends a trailing slash (/) to the request URL, causing the middleware to be skipped under the default Fastify configuration.

Impact Analysis

This vulnerability can allow unauthorized users to access protected routes or resources without proper authentication by exploiting the trailing slash bypass. This could lead to unauthorized access to sensitive data or functionality, potentially compromising the security of applications built with the affected NestJS versions.

Mitigation Strategies

To mitigate this vulnerability, update the @nestjs/platform-fastify package to version 11.1.24 or later, where the authentication bypass issue has been fixed.

Additionally, review your middleware registration using MiddlewareConsumer.forRoutes() on the Fastify adapter to ensure no unauthenticated access is possible via trailing slashes in request URLs.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54281. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart