Skip to content

fix(deps): update dependency @nestjs/platform-fastify to v11 [security]#882

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-nestjs-platform-fastify-vulnerability
Open

fix(deps): update dependency @nestjs/platform-fastify to v11 [security]#882
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-nestjs-platform-fastify-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Dec 30, 2025

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
@nestjs/platform-fastify (source) 10.2.1011.1.16 age adoption passing confidence

Nest has a Fastify URL Encoding Middleware Bypass (TOCTOU)

CVE-2025-69211 / GHSA-8wpr-639p-ccrj

More information

Details

A NestJS application is vulnerable if it meets all of the following criteria:

  1. Platform: Uses @nestjs/platform-fastify.
  2. Security Mechanism: Relies on NestMiddleware (via MiddlewareConsumer) for security checks (authentication, authorization, etc.), or through app.use()
  3. Routing: Applies middleware to specific routes using string paths or controllers (e.g., .forRoutes('admin')).
    Example Vulnerable Config:
// app.module.ts
export class AppModule implements NestModule {
  configure(consumer: MiddlewareConsumer) {
    consumer
      .apply(AuthMiddleware) // Security check
      .forRoutes('admin');   // Vulnerable: Path-based restriction
  }
}

Attack Vector:

  • Target Route: /admin
  • Middleware Path: admin
  • Attack Request: GET /%61dmin
  • Result: Middleware is skipped (no match on %61dmin), but controller for /admin is executed.

Consequences:

  • Authentication Bypass: Unauthenticated users can access protected routes.
  • Authorization Bypass: Restricted administrative endpoints become accessible to lower-privileged users.
  • Input Validation Bypass: Middleware performing sanitization or validation can be skipped.
Patches

Patched in @nestjs/platform-fastify@11.1.11

Resources

Credit goes to Hacktron AI for reporting this issue.

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Nest has a Fastify URL Encoding Middleware Bypass

CVE-2026-2293 / GHSA-r4wm-x892-vjmx

More information

Details

Impact

What kind of vulnerability is it? Who is impacted?

A NestJS application using @nestjs/platform-fastify can allow bypass of any middleware when Fastify path-normalization options (e.g., ignoreTrailingSlash, ignoreDuplicateSlashes, useSemicolonDelimiter) are enabled. In affected route-scoped middleware setups, variant paths may skip middleware checks while still reaching the protected handler.

The bug is a path canonicalization mismatch between middleware matching and route matching in Nest’s Fastify adapter.

Nest passes Fastify routerOptions (such as ignoreTrailingSlash, ignoreDuplicateSlashes, useSemicolonDelimiter) to the Fastify router in packages/platform-fastify/adapters/fastify-adapter.ts:253.

But middleware execution is decided by a separate regex check over req.originalUrl in packages/platform-fastify/adapters/fastify-adapter.ts:706 and packages/platform-fastify/adapters/fastify-adapter.ts:713.

If that regex does not match, Nest does next() and skips the middleware (packages/platform-fastify/adapters/fastify-adapter.ts:714), while Fastify may still normalize the same path and route it to the protected handler. So the vulnerability exists because security checks (middleware) and request dispatch(router) use different URL interpretations.

This is a fail-open design issue (inconsistent normalization), not just a bad app config: non-default router options make the mismatch reachable.

Patches

Fixed in @nestjs/platform-fastify@11.1.14

References

Credit goes to Fluidattacks (Cristian Vargas) https://fluidattacks.com/advisories/neton

Severity

  • CVSS Score: 8.2 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Nest Fastify HEAD Request Middleware Bypass

CVE-2026-33011 / GHSA-wf42-42fg-fg84

More information

Details

Impact

In a NestJS application using @nestjs/platform-fastify, GET middleware can be bypassed because Fastify automatically redirects HEAD requests to the corresponding GET handlers (if they exist).

As a result:

  • Middleware will be completely skipped.
  • The HTTP response won't include a body (since the response is truncated when redirecting a HEAD request to a GET handler).
  • The actual handler will still be executed.
Patches

Fixed in @nestjs/platform-fastify@11.1.16

Severity

  • CVSS Score: 8.7 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

nestjs/nest (@​nestjs/platform-fastify)

v11.1.16

Compare Source

v11.1.16 (2026-03-05)

Bug fixes
  • microservices
Dependencies
Committers: 2

v11.1.15

Compare Source

What's Changed

New Contributors

Full Changelog: nestjs/nest@v11.1.14...v11.1.15

v11.1.14

Compare Source

v11.1.14 (2026-02-17)

Bug fixes
Enhancements
Committers: 5

v11.1.13

Compare Source

v11.1.13 (2026-02-03)

Bug fixes
  • common
Enhancements
Dependencies
Committers: 6

v11.1.12

Compare Source

v11.1.12 (2026-01-15)

Bug fixes
Dependencies
Committers: 3

v11.1.11

Compare Source

v11.1.11 (2025-12-29)

Bug fixes
Dependencies
Committers: 3

v11.1.10

Compare Source

v11.1.10 (2025-12-22)

Bug fixes
Enhancements
Dependencies
Committers: 11

v11.1.9

Compare Source

v11.1.9 (2025-11-14)

Bug fixes
Enhancements
Dependencies
Committers: 4

v11.1.8

Compare Source

v11.1.8 (2025-10-27)

Bug fixes
Committers: 2

v11.1.7

Compare Source

v11.1.7 (2025-10-21)

Bug fixes
Enhancements
Dependencies
Committers: 9

v11.1.6

Compare Source

v11.1.6 (2025-08-07)
Bug fixes
Dependencies
Committers: 6

v11.1.5

Compare Source

v11.1.5 (2025-07-18)

Dependencies

v11.1.4

Compare Source

v11.1.4 (2025-07-16)

Bug fixes
Enhancements
Dependencies
Committers: 11

v11.1.3

Compare Source

v11.1.3 (2025-06-06)
Bug fixes
Enhancements
Dependencies
Committers: 3

v11.1.2

Compare Source

v11.1.2 (2025-05-26)

Bug fixes
Dependencies
Committers: 2

v11.1.1

Compare Source

v11.1.1 (2025-05-14)

Bug fixes
Enhancements
Dependencies
Committers: 7

v11.1.0

Compare Source

v11.1.0 (2025-04-23)

Enhancements
Committers: 1

v11.0.21

Compare Source

v11.0.21 (2025-04-23)

Enhancements
Dependencies
Committers: 1

v11.0.20

Compare Source

What's Changed

New Contributors

Full Changelog: nestjs/nest@v11.0.19...v11.0.20

v11.0.19

Compare Source

v11.0.18

Compare Source

What's Changed

  • chore(common): temporarily move file-type to regular deps d9a69a3

Full Changelog: nestjs/nest@v11.0.17...v11.0.18

v11.0.17

Compare Source

v11.0.16

Compare Source

v11.0.16 (2025-04-11)

v11.0.15

Compare Source

v11.0.15 (2025-04-10)
Bug fixes
Committers: 1

v11.0.14

Compare Source

v11.0.14 (2025-04-09)
Bug fixes
  • platform-fastify
Committers: 1

v11.0.13

Compare Source

v11.0.13 (2025-04-03)
Bug fixes
  • platform-fastify
  • microservices
    • #​14869 fix(microservices): do not re-create client connection once get client by service name (@​mingo023)
Dependencies
Committers: 2

v11.0.12

Compare Source

v11.0.12 (2025-03-19)
Bug fixes
Enhancements

v11.0.11

Compare Source

v11.0.11 (2025-02-28)
Enhancements
  • platform-fastify
Dependencies
Committers: 1

v11.0.10

Compare Source

v11.0.10 (2025-02-17)
Bug fixes

v11.0.9

Compare Source

v11.0.9 (2025-02-10)
Bug fixes
Committers: 2

v11.0.8

Compare Source

v11.0.8 (2025-02-06)
Bug fixes
Committers: 4

v11.0.7

Compare Source

v11.0.7 (2025-01-31)
Bug fixes
Committers: 1

v11.0.6

Compare Source

v11.0.6 (2025-01-27)
Bug fixes
Committers: 1

v11.0.5

Compare Source

v11.0.5 (2025-01-23)
Bug fixes
Committers: 1

v11.0.4

Compare Source

v11.0.3

Compare Source

v11.0.2

Compare Source

v11.0.1

Compare Source

v11.0.0

Compare Source

v11.0.0 (2025-01-16)

Article: https://trilon.io/blog/announcing-nestjs-11-whats-new
Migration guide: https://docs.nestjs.com/migration-guide 👈 👈 👈

⚠️ Node v16 and v18 are no longer supported (>= v20 is required).

Features
  • common, core, microservices
  • common, core
  • common, core, microservices, platform-express, platform-fastify, platform-socket.io, platform-ws, testing, websockets
    • #​14238 chore(deps): upgrade to express v5, fastify v5, add legacy route path converter to minimize breaking changes (@​kamilmysliwiec)
Enhancements
Bug fixes

Note

PR body was truncated to here.


Configuration

📅 Schedule: (in timezone Asia/Shanghai)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the renovate label Dec 30, 2025
@renovate renovate Bot force-pushed the renovate/npm-nestjs-platform-fastify-vulnerability branch 2 times, most recently from 7f0b88e to 5a514a5 Compare January 23, 2026 19:43
@renovate renovate Bot force-pushed the renovate/npm-nestjs-platform-fastify-vulnerability branch from 5a514a5 to 2e39a46 Compare February 2, 2026 16:32
@renovate renovate Bot force-pushed the renovate/npm-nestjs-platform-fastify-vulnerability branch 2 times, most recently from f87ef43 to d5e9bff Compare February 17, 2026 15:14
@renovate renovate Bot force-pushed the renovate/npm-nestjs-platform-fastify-vulnerability branch from d5e9bff to 94658ed Compare March 3, 2026 13:48
@renovate renovate Bot force-pushed the renovate/npm-nestjs-platform-fastify-vulnerability branch 2 times, most recently from 0dbf61a to cfeff5c Compare March 17, 2026 21:47
@renovate renovate Bot changed the title fix(deps): update dependency @nestjs/platform-fastify to v11 [security] fix(deps): update dependency @nestjs/platform-fastify to v11 [security] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot deleted the renovate/npm-nestjs-platform-fastify-vulnerability branch March 27, 2026 01:40
@renovate renovate Bot changed the title fix(deps): update dependency @nestjs/platform-fastify to v11 [security] - autoclosed fix(deps): update dependency @nestjs/platform-fastify to v11 [security] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-nestjs-platform-fastify-vulnerability branch 2 times, most recently from cfeff5c to 0df842f Compare March 30, 2026 21:24
@renovate renovate Bot changed the title fix(deps): update dependency @nestjs/platform-fastify to v11 [security] fix(deps): update dependency @nestjs/platform-fastify to v11 [security] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot changed the title fix(deps): update dependency @nestjs/platform-fastify to v11 [security] - autoclosed fix(deps): update dependency @nestjs/platform-fastify to v11 [security] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/npm-nestjs-platform-fastify-vulnerability branch 3 times, most recently from ab9d10e to fc360fe Compare April 29, 2026 20:12
@renovate renovate Bot force-pushed the renovate/npm-nestjs-platform-fastify-vulnerability branch from fc360fe to 02b56bd Compare May 12, 2026 10:34
@renovate

renovate Bot commented May 12, 2026

Copy link
Copy Markdown
Contributor Author

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml
[WARN] The "pnpm" field in package.json is no longer read by pnpm. The following keys were ignored: "pnpm.overrides". See https://pnpm.io/settings for the new home of each setting.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants