Nest.JS Fastify URL Encoding Middleware Bypass Vulnerability (CVE-2025-69211)
CVE number = CVE-2025-69211
Nest is a framework for building scalable Node.js server-side applications.
Versions prior to 11.1.11 have a Fastify URL encoding middleware bypass. A NestJS application is vulnerable if it uses `@nestjs/platform-fastify`; relies on `NestMiddleware` (via `MiddlewareConsumer`) for security checks (authentication, authorization, etc.), or through `app.use()`; and applies middleware to specific routes using string paths or controllers (e.g., `.forRoutes(‘admin’)`).
Exploitation can result in unauthenticated users accessing protected routes, restricted administrative endpoints becoming accessible to lower-privileged users, and/or middleware performing sanitization or validation being skipped.
This issue is patched in `@nestjs/[email protected]`.

I am one of the editors here at www.systemtek.co.uk I am a UK based technology professional, with an interest in computer security and telecoms.
