CVE-2026-54281
Nest: Middleware Bypass on Fastify via Trailing Slash
Description
### Impact An authentication bypass vulnerability exists in `@nestjs/platform-fastify` (confirmed on version `11.1.24`, the latest available release at time of report). When middleware is registered through NestJS's `MiddlewareConsumer.forRoutes()` API on the Fastify adapter, an unauthenticated client can bypass the Nest middleware registered for that route by simply appending a trailing slash (`/`) to the request URL. This bypass works on the **default Fastify adapter configuration** — no special router options need to be enabled. Applications using the standard CRUD route shape (`GET /resource` and `GET /resource/:id`) are affected when they protect those routes with `MiddlewareConsumer.forRoutes()` middleware. ### Patches Fixed in `@nestjs/[email protected]` ### References Kudos goes to @a-tt-om
How to fix CVE-2026-54281
To remediate CVE-2026-54281, upgrade the affected package to a fixed version below.
- —upgrade to 11.1.24 or later
Is CVE-2026-54281 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-54281.
Affected packages (1)
- from 0, < 11.1.24
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N |