NewsSecurity Vulnerabilities

Nest.JS Fastify URL Encoding Middleware Bypass Vulnerability (CVE-2025-69211)

CVE number = CVE-2025-69211

Nest is a framework for building scalable Node.js server-side applications.

Versions prior to 11.1.11 have a Fastify URL encoding middleware bypass. A NestJS application is vulnerable if it uses `@nestjs/platform-fastify`; relies on `NestMiddleware` (via `MiddlewareConsumer`) for security checks (authentication, authorization, etc.), or through `app.use()`; and applies middleware to specific routes using string paths or controllers (e.g., `.forRoutes(‘admin’)`).

Exploitation can result in unauthenticated users accessing protected routes, restricted administrative endpoints becoming accessible to lower-privileged users, and/or middleware performing sanitization or validation being skipped.

This issue is patched in `@nestjs/[email protected]`.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.