Update dependency @nestjs/platform-fastify to v11 [SECURITY] by renovate[bot] · Pull Request #120 · Insidexa/nestjs-rpc

renovate · 2025-12-30T15:37:31Z

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@nestjs/platform-fastify (source)	`7.3.2` → `11.1.16`

GitHub Vulnerability Alerts

CVE-2025-69211

A NestJS application is vulnerable if it meets all of the following criteria:

Platform: Uses @nestjs/platform-fastify.
Security Mechanism: Relies on NestMiddleware (via MiddlewareConsumer) for security checks (authentication, authorization, etc.), or through app.use()
Routing: Applies middleware to specific routes using string paths or controllers (e.g., .forRoutes('admin')).
Example Vulnerable Config:

// app.module.ts
export class AppModule implements NestModule {
  configure(consumer: MiddlewareConsumer) {
    consumer
      .apply(AuthMiddleware) // Security check
      .forRoutes('admin');   // Vulnerable: Path-based restriction
  }
}

Attack Vector:

Target Route: /admin
Middleware Path: admin
Attack Request: GET /%61dmin
Result: Middleware is skipped (no match on %61dmin), but controller for /admin is executed.

Consequences:

Authentication Bypass: Unauthenticated users can access protected routes.
Authorization Bypass: Restricted administrative endpoints become accessible to lower-privileged users.
Input Validation Bypass: Middleware performing sanitization or validation can be skipped.

Patches

Patched in @nestjs/platform-fastify@11.1.11

Resources

Credit goes to Hacktron AI for reporting this issue.

CVE-2026-2293

Impact

What kind of vulnerability is it? Who is impacted?

A NestJS application using @nestjs/platform-fastify can allow bypass of any middleware when Fastify path-normalization options (e.g., ignoreTrailingSlash, ignoreDuplicateSlashes, useSemicolonDelimiter) are enabled. In affected route-scoped middleware setups, variant paths may skip middleware checks while still reaching the protected handler.

The bug is a path canonicalization mismatch between middleware matching and route matching in Nest’s Fastify adapter.

Nest passes Fastify routerOptions (such as ignoreTrailingSlash, ignoreDuplicateSlashes, useSemicolonDelimiter) to the Fastify router in packages/platform-fastify/adapters/fastify-adapter.ts:253.

But middleware execution is decided by a separate regex check over req.originalUrl in packages/platform-fastify/adapters/fastify-adapter.ts:706 and packages/platform-fastify/adapters/fastify-adapter.ts:713.

If that regex does not match, Nest does next() and skips the middleware (packages/platform-fastify/adapters/fastify-adapter.ts:714), while Fastify may still normalize the same path and route it to the protected handler. So the vulnerability exists because security checks (middleware) and request dispatch(router) use different URL interpretations.

This is a fail-open design issue (inconsistent normalization), not just a bad app config: non-default router options make the mismatch reachable.

Patches

Fixed in @nestjs/platform-fastify@11.1.14

References

Credit goes to Fluidattacks (Cristian Vargas) https://fluidattacks.com/advisories/neton

CVE-2026-33011

Impact

In a NestJS application using @nestjs/platform-fastify, GET middleware can be bypassed because Fastify automatically redirects HEAD requests to the corresponding GET handlers (if they exist).

As a result:

Middleware will be completely skipped.
The HTTP response won't include a body (since the response is truncated when redirecting a HEAD request to a GET handler).
The actual handler will still be executed.

Patches

Fixed in @nestjs/platform-fastify@11.1.16

Release Notes

nestjs/nest (@nestjs/platform-fastify)

Conversation

renovate bot commented Dec 30, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

GitHub Vulnerability Alerts

Patches

Resources

Impact

Patches

References

Impact

Patches

Release Notes

v11.1.16 (2026-03-05)

Bug fixes

Dependencies

Committers: 2

What's Changed

New Contributors

v11.1.14 (2026-02-17)

Bug fixes

Enhancements

Committers: 5

v11.1.13 (2026-02-03)

Bug fixes

Enhancements

Dependencies

Committers: 6

v11.1.12 (2026-01-15)

Bug fixes

Dependencies

Committers: 3

v11.1.11 (2025-12-29)

Bug fixes

Dependencies

Committers: 3

v11.1.10 (2025-12-22)

Bug fixes

Enhancements

Dependencies

Committers: 11

v11.1.9 (2025-11-14)

Bug fixes

Enhancements

Dependencies

Committers: 4

v11.1.8 (2025-10-27)

Bug fixes

Committers: 2

v11.1.7 (2025-10-21)

Bug fixes

Enhancements

Dependencies

Committers: 9

v11.1.6 (2025-08-07)

Bug fixes

Dependencies

Committers: 6

v11.1.5 (2025-07-18)

Dependencies

v11.1.4 (2025-07-16)

Bug fixes

Enhancements

Dependencies

Committers: 11

v11.1.3 (2025-06-06)

Bug fixes

Enhancements

Dependencies

Committers: 3

v11.1.2 (2025-05-26)

Bug fixes

Dependencies

Committers: 2

v11.1.1 (2025-05-14)

Bug fixes

Enhancements

Dependencies

Committers: 7

v11.1.0 (2025-04-23)

Enhancements

renovate bot commented Dec 30, 2025 •

edited

Loading