fix(deps): update dependency @nestjs/platform-fastify to v11 [security]#882
Open
renovate[bot] wants to merge 1 commit into
Open
fix(deps): update dependency @nestjs/platform-fastify to v11 [security]#882renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
7f0b88e to
5a514a5
Compare
5a514a5 to
2e39a46
Compare
f87ef43 to
d5e9bff
Compare
d5e9bff to
94658ed
Compare
0dbf61a to
cfeff5c
Compare
cfeff5c to
0df842f
Compare
ab9d10e to
fc360fe
Compare
fc360fe to
02b56bd
Compare
Contributor
Author
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
10.2.10→11.1.16Nest has a Fastify URL Encoding Middleware Bypass (TOCTOU)
CVE-2025-69211 / GHSA-8wpr-639p-ccrj
More information
Details
A NestJS application is vulnerable if it meets all of the following criteria:
@nestjs/platform-fastify.NestMiddleware(viaMiddlewareConsumer) for security checks (authentication, authorization, etc.), or throughapp.use().forRoutes('admin')).Example Vulnerable Config:
Attack Vector:
/adminadminGET /%61dmin%61dmin), but controller for/adminis executed.Consequences:
Patches
Patched in
@nestjs/platform-fastify@11.1.11Resources
Credit goes to Hacktron AI for reporting this issue.
Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Nest has a Fastify URL Encoding Middleware Bypass
CVE-2026-2293 / GHSA-r4wm-x892-vjmx
More information
Details
Impact
What kind of vulnerability is it? Who is impacted?
A NestJS application using
@nestjs/platform-fastifycan allow bypass of any middleware when Fastify path-normalization options (e.g.,ignoreTrailingSlash,ignoreDuplicateSlashes,useSemicolonDelimiter) are enabled. In affected route-scoped middleware setups, variant paths may skip middleware checks while still reaching the protected handler.The bug is a path canonicalization mismatch between middleware matching and route matching in Nest’s Fastify adapter.
Nest passes Fastify routerOptions (such as
ignoreTrailingSlash,ignoreDuplicateSlashes,useSemicolonDelimiter) to the Fastify router in packages/platform-fastify/adapters/fastify-adapter.ts:253.But middleware execution is decided by a separate regex check over
req.originalUrlin packages/platform-fastify/adapters/fastify-adapter.ts:706 and packages/platform-fastify/adapters/fastify-adapter.ts:713.If that regex does not match, Nest does
next()and skips the middleware (packages/platform-fastify/adapters/fastify-adapter.ts:714), while Fastify may still normalize the same path and route it to the protected handler. So the vulnerability exists because security checks (middleware) and request dispatch(router) use different URL interpretations.This is a fail-open design issue (inconsistent normalization), not just a bad app config: non-default router options make the mismatch reachable.
Patches
Fixed in
@nestjs/platform-fastify@11.1.14References
Credit goes to Fluidattacks (Cristian Vargas) https://fluidattacks.com/advisories/neton
Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Nest Fastify HEAD Request Middleware Bypass
CVE-2026-33011 / GHSA-wf42-42fg-fg84
More information
Details
Impact
In a NestJS application using
@nestjs/platform-fastify, GET middleware can be bypassed because Fastify automatically redirects HEAD requests to the corresponding GET handlers (if they exist).As a result:
Patches
Fixed in
@nestjs/platform-fastify@11.1.16Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
nestjs/nest (@nestjs/platform-fastify)
v11.1.16Compare Source
v11.1.16 (2026-03-05)
Bug fixes
microservicesDependencies
platform-expressCommitters: 2
v11.1.15Compare Source
What's Changed
New Contributors
Full Changelog: nestjs/nest@v11.1.14...v11.1.15
v11.1.14Compare Source
v11.1.14 (2026-02-17)
Bug fixes
platform-fastifycommonEnhancements
commonCommitters: 5
v11.1.13Compare Source
v11.1.13 (2026-02-03)
Bug fixes
commonEnhancements
microservicescommonDependencies
platform-fastifyplatform-expressCommitters: 6
v11.1.12Compare Source
v11.1.12 (2026-01-15)
Bug fixes
commonDependencies
platform-wscommonplatform-fastifyCommitters: 3
v11.1.11Compare Source
v11.1.11 (2025-12-29)
Bug fixes
platform-fastifycoreDependencies
platform-socket.ioplatform-fastifycommonCommitters: 3
v11.1.10Compare Source
v11.1.10 (2025-12-22)
Bug fixes
coremicroservicescommonEnhancements
commoncoremicroservicescommon,coreDependencies
platform-fastifyplatform-expresscommonCommitters: 11
v11.1.9Compare Source
v11.1.9 (2025-11-14)
Bug fixes
coreEnhancements
commonDependencies
platform-fastifyCommitters: 4
v11.1.8Compare Source
v11.1.8 (2025-10-27)
Bug fixes
coreplatform-fastifyCommitters: 2
v11.1.7Compare Source
v11.1.7 (2025-10-21)
Bug fixes
microservicesplatform-fastifycorecommonEnhancements
common,platform-socket.io,websocketscommoncommon,corecoremicroservicesDependencies
platform-fastifycore,platform-express,platform-fastifycommonCommitters: 9
v11.1.6Compare Source
v11.1.6 (2025-08-07)
Bug fixes
coremicroservicesDependencies
platform-fastifyCommitters: 6
v11.1.5Compare Source
v11.1.5 (2025-07-18)
Dependencies
platform-expressv11.1.4Compare Source
v11.1.4 (2025-07-16)
Bug fixes
platform-fastifycore,testingcoremicroservicesEnhancements
platform-fastifycommon,core,microservices,platform-express,platform-fastify,websocketscoreDependencies
platform-wsplatform-fastifyCommitters: 11
v11.1.3Compare Source
v11.1.3 (2025-06-06)
Bug fixes
coreEnhancements
commoncommon,coreDependencies
platform-expressCommitters: 3
v11.1.2Compare Source
v11.1.2 (2025-05-26)
Bug fixes
microservicesDependencies
commonplatform-expressCommitters: 2
v11.1.1Compare Source
v11.1.1 (2025-05-14)
Bug fixes
coremicroservicescore,platform-fastifygetHeaderandappendHeadermethods fromAbstractHttpAdapter(@micalevisk)platform-expressEnhancements
microservicesDependencies
platform-fastifyplatform-wscommonCommitters: 7
v11.1.0Compare Source
v11.1.0 (2025-04-23)
Enhancements
microservicesCommitters: 1
v11.0.21Compare Source
v11.0.21 (2025-04-23)
Enhancements
commonDependencies
platform-fastifyCommitters: 1
v11.0.20Compare Source
What's Changed
evalby @Borewit in #14974New Contributors
Full Changelog: nestjs/nest@v11.0.19...v11.0.20
v11.0.19Compare Source
v11.0.18Compare Source
What's Changed
d9a69a3Full Changelog: nestjs/nest@v11.0.17...v11.0.18
v11.0.17Compare Source
v11.0.16Compare Source
v11.0.16 (2025-04-11)
file-typeto validate file mimetypes by @Chathula in #14881v11.0.15Compare Source
v11.0.15 (2025-04-10)
Bug fixes
platform-fastifyCommitters: 1
v11.0.14Compare Source
v11.0.14 (2025-04-09)
Bug fixes
platform-fastifyCommitters: 1
v11.0.13Compare Source
v11.0.13 (2025-04-03)
Bug fixes
platform-fastifymicroservicesDependencies
platform-expressplatform-fastifyCommitters: 2
v11.0.12Compare Source
v11.0.12 (2025-03-19)
Bug fixes
coreEnhancements
corev11.0.11Compare Source
v11.0.11 (2025-02-28)
Enhancements
platform-fastifyDependencies
platform-fastifyplatform-wsCommitters: 1
v11.0.10Compare Source
v11.0.10 (2025-02-17)
Bug fixes
microservicesplatform-expressv11.0.9Compare Source
v11.0.9 (2025-02-10)
Bug fixes
corecommonCommitters: 2
v11.0.8Compare Source
v11.0.8 (2025-02-06)
Bug fixes
commonplatform-expressCommitters: 4
v11.0.7Compare Source
v11.0.7 (2025-01-31)
Bug fixes
coreCommitters: 1
v11.0.6Compare Source
v11.0.6 (2025-01-27)
Bug fixes
coreCommitters: 1
v11.0.5Compare Source
v11.0.5 (2025-01-23)
Bug fixes
coreCommitters: 1
v11.0.4Compare Source
v11.0.3Compare Source
v11.0.2Compare Source
v11.0.1Compare Source
v11.0.0Compare Source
v11.0.0 (2025-01-16)
Article: https://trilon.io/blog/announcing-nestjs-11-whats-new
Migration guide: https://docs.nestjs.com/migration-guide 👈 👈 👈
Features
common,core,microservicescommon,corecommon,core,microservices,platform-express,platform-fastify,platform-socket.io,platform-ws,testing,websocketsEnhancements
common@Inject()(@micalevisk)microserviceswebsocketscommon,core,microservices,websocketscommon,core,platform-fastifyplatform-expressplatform-wsplatform-fastifycommon,coreBug fixes
coreReflectortypes (@AlexRMU)Configuration
📅 Schedule: (in timezone Asia/Shanghai)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.