NestJS, Middleware Bypass via HEAD Request Redirection, CVE-2026-33011 (Medium)

Listen to this Post

How the mentioned CVE works:

In NestJS versions 11.1.15 and below, when using the Fastify adapter (@nestjs/platform-fastify), HTTP `HEAD` requests are automatically redirected to existing `GET` route handlers due to Fastify’s internal behavior.
This redirection occurs before any NestJS middleware chain is evaluated.
As a result, middleware functions that are intended to run for the route (e.g., authentication, logging) are completely bypassed.
The `GET` handler still executes, but the response body is stripped because `HEAD` responses must not contain a body.
An attacker can exploit this by sending a `HEAD` request to any `GET` endpoint that is protected by middleware.
The request reaches the controller logic without undergoing security checks.
Sensitive operations may be performed while the response body remains empty, potentially evading detection.
The issue stems from Fastify’s default behavior of aliasing `HEAD` to `GET` and NestJS’s middleware registration not intercepting this internal redirection.
No error is thrown; the application processes the request as if the middleware succeeded.
Only routes that have both a `GET` handler and registered middleware are vulnerable.
The vulnerability is fixed in version 11.1.16 by explicitly disabling the automatic `HEAD` to `GET` forwarding in the Fastify adapter.
The patch ensures that middleware runs for `HEAD` requests as it would for any other HTTP method.
This CVE highlights a subtle interaction between framework layers that can lead to authorization bypass.

dailycve form:

Platform: NestJS Fastify
Version: ≤ 11.1.15
Vulnerability: Middleware bypass via HEAD
Severity: Medium
date: 03/20/2026

Prediction: 11.1.16 released 03/23/2026

What Undercode Say:

Simulate vulnerable scenario
curl -X HEAD http://localhost:3000/admin/secret -v
Middleware skipped; GET handler runs
Check Fastify route mapping
node -e "const fastify = require('fastify')(); fastify.get('/test', () => {}); console.log(fastify.printRoutes());"
Observe HEAD implicitly registered
Patch verification (post 11.1.16)
npm list @nestjs/platform-fastify
Ensure version >= 11.1.16

Exploit:

  1. Identify a NestJS Fastify endpoint with `@Get()` decorator and guarded by middleware.
  2. Send a `HEAD` request to that endpoint using `curl -I` or custom tool.
  3. Observe that the request succeeds (e.g., 200 OK) even if middleware would have blocked a GET.
  4. If the handler performs state-changing actions (e.g., database writes), those actions are executed silently.

Protection from this CVE

  • Upgrade `@nestjs/platform-fastify` to version 11.1.16 or later.
  • If upgrade is not immediate, manually disable Fastify’s HEAD-to-GET aliasing:
    `fastify.addHook(‘onRoute’, (routeOptions) => { if (routeOptions.method === ‘HEAD’) routeOptions.handler = null; });`
    – Review all routes that rely on middleware for authorization and ensure they are not exposed via HEAD.
  • Use HTTP method-specific decorators explicitly and avoid relying solely on middleware for sensitive endpoints.

Impact

Unauthenticated or unauthorized users can trigger GET handler logic without triggering middleware, leading to potential data leakage, unintended state changes, or bypass of security controls. Attackers can enumerate endpoints and perform actions that should be protected. The vulnerability affects all NestJS applications using the Fastify adapter with version ≤ 11.1.15.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top