Listen to this Post
NestJS applications using the `@nestjs/platform-fastify` package are vulnerable to an authentication bypass when middleware is registered via the `MiddlewareConsumer.forRoutes()` API. By simply appending a trailing slash (/) to the request URL, an unauthenticated attacker can bypass the middleware entirely and access protected resources without permission.
The root cause lies in how the Fastify adapter normalizes incoming request URLs and how it subsequently matches them against the registered middleware routes. When a client sends a request to /admin, the middleware is correctly triggered. However, if the client sends the request to /admin/, Fastify may normalize the URL internally before the NestJS middleware layer evaluates it. This mismatch causes the middleware registration check—which typically uses a strict route path like /admin—to fail, leading to the middleware not being executed for that request.
The vulnerability is particularly dangerous because it affects the default Fastify adapter configuration; no special router options need to be enabled for the bypass to work. Any application using standard CRUD routes, such as `GET /resource` and GET /resource/:id, is impacted if those routes are protected by middleware via MiddlewareConsumer.forRoutes(). An attacker exploiting this vulnerability could gain unauthorized access to administrative endpoints, bypass authentication checks, read sensitive data, or perform unauthorized actions.
NestJS maintainers have fixed the issue in version `11.1.24` by ensuring that both the raw and normalized forms of the request URL are considered during middleware route matching. This change prevents the mismatch that previously allowed the trailing slash bypass. All users of `@nestjs/platform-fastify` are strongly advised to upgrade immediately to the patched version.
DailyCVE Form:
Platform: NestJS
Version: 11.1.24
Vulnerability : Auth Bypass
Severity: Critical
date: 2026-06-08
Prediction: 2026-06-08
What Undercode Say:
Verify vulnerable version npm list @nestjs/platform-fastify Simulate bypass with curl curl -i http://vulnerable-app.com/admin Vs. curl -i http://vulnerable-app.com/admin/ Check middleware registration grep -r "MiddlewareConsumer.forRoutes" src/
// Vulnerable middleware registration
@Module({})
export class AppModule {
configure(consumer: MiddlewareConsumer) {
consumer
.apply(AuthMiddleware)
.forRoutes('admin'); // vulnerable route
}
}
Exploit:
Example: Bypassing authentication on /dashboard curl -i http://target.com/dashboard/ This request bypasses the /dashboard middleware
Protection:
Upgrade to patched version npm install @nestjs/[email protected]
// Alternative workaround: Normalize URLs manually
app.use((req, res, next) => {
if (req.url.endsWith('/')) {
req.url = req.url.slice(0, -1);
}
next();
});
Impact:
- Unauthenticated attackers can access protected routes.
- Complete bypass of authentication and authorization middleware.
- Unauthorized data access, modification, or deletion.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
