⬆️ Update dependency @nestjs/platform-fastify to v11.1.14 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@nestjs/platform-fastify (source)	11.1.3 → 11.1.14

---

Nest has a Fastify URL Encoding Middleware Bypass (TOCTOU)

CVE-2025-69211 / GHSA-8wpr-639p-ccrj

More information

Details

A NestJS application is vulnerable if it meets all of the following criteria:

1. Platform: Uses @nestjs/platform-fastify.
2. Security Mechanism: Relies on NestMiddleware (via MiddlewareConsumer) for security checks (authentication, authorization, etc.), or through app.use()
3. Routing: Applies middleware to specific routes using string paths or controllers (e.g., .forRoutes('admin')).
   Example Vulnerable Config:

// app.module.ts
export class AppModule implements NestModule {
  configure(consumer: MiddlewareConsumer) {
    consumer
      .apply(AuthMiddleware) // Security check
      .forRoutes('admin');   // Vulnerable: Path-based restriction
  }
}

Attack Vector:

• Target Route: /admin
• Middleware Path: admin
• Attack Request: GET /%61dmin
• Result: Middleware is skipped (no match on %61dmin), but controller for /admin is executed.

Consequences:

• Authentication Bypass: Unauthenticated users can access protected routes.
• Authorization Bypass: Restricted administrative endpoints become accessible to lower-privileged users.
• Input Validation Bypass: Middleware performing sanitization or validation can be skipped.

Patches

Patched in @nestjs/platform-fastify@11.1.11

Resources

Credit goes to Hacktron AI for reporting this issue.

Severity

• CVSS Score: 6.9 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

References

• https://github.com/nestjs/nest/security/advisories/GHSA-8wpr-639p-ccrj
• https://nvd.nist.gov/vuln/detail/CVE-2025-69211
• https://github.com/nestjs/nest/commit/c4cedda15a05aafec1e6045b36b0335ab850e771
• https://github.com/advisories/GHSA-8wpr-639p-ccrj

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Nest has a Fastify URL Encoding Middleware Bypass

CVE-2026-2293 / GHSA-r4wm-x892-vjmx

More information

Details

Impact

What kind of vulnerability is it? Who is impacted?

A NestJS application using @nestjs/platform-fastify can allow bypass of any middleware when Fastify path-normalization options (e.g., ignoreTrailingSlash, ignoreDuplicateSlashes, useSemicolonDelimiter) are enabled. In affected route-scoped middleware setups, variant paths may skip middleware checks while still reaching the protected handler.

The bug is a path canonicalization mismatch between middleware matching and route matching in Nest’s Fastify adapter.

Nest passes Fastify routerOptions (such as ignoreTrailingSlash, ignoreDuplicateSlashes, useSemicolonDelimiter) to the Fastify router in packages/platform-fastify/adapters/fastify-adapter.ts:253.

But middleware execution is decided by a separate regex check over req.originalUrl in packages/platform-fastify/adapters/fastify-adapter.ts:706 and packages/platform-fastify/adapters/fastify-adapter.ts:713.

If that regex does not match, Nest does next() and skips the middleware (packages/platform-fastify/adapters/fastify-adapter.ts:714), while Fastify may still normalize the same path and route it to the protected handler. So the vulnerability exists because security checks (middleware) and request dispatch(router) use different URL interpretations.

This is a fail-open design issue (inconsistent normalization), not just a bad app config: non-default router options make the mismatch reachable.

Patches

Fixed in @nestjs/platform-fastify@11.1.14

References

Credit goes to Fluidattacks (Cristian Vargas) https://fluidattacks.com/advisories/neton

Severity

• CVSS Score: 8.2 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/nestjs/nest/security/advisories/GHSA-r4wm-x892-vjmx
• https://nvd.nist.gov/vuln/detail/CVE-2026-2293
• https://github.com/nestjs/nest/commit/fd8d073e0e048b185147209338ca7042e52c10ba
• https://fluidattacks.com/advisories/neton
• https://github.com/nestjs/nest/releases/tag/v11.1.14
• https://github.com/advisories/GHSA-r4wm-x892-vjmx

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

nestjs/nest (@​nestjs/platform-fastify)

v11.1.14

Compare Source

v11.1.14 (2026-02-17)

Bug fixes

• platform-fastify
  • #​16384 fix(fastify): fastify middleware bypass cve (@​kamilmysliwiec)
• common
  • #​16307 fix: logger print invalid context when no stack trace provided (@​JulienDuf)

Enhancements

• common
  • #​16314 fix(common): change requestOrigin type (@​SpencerKaiser)

Committers: 5

• Julien Dufresne (@​JulienDuf)
• Kamil Mysliwiec (@​kamilmysliwiec)
• Mykhailo Skrypsky (@​mixator)
• Spencer Kaiser (@​SpencerKaiser)
• 조수민 (@​suuuuuuminnnnnn)

v11.1.13

Compare Source

v11.1.13 (2026-02-03)

Bug fixes

• common
  • #​16230 fix(common): Fix skipping maxArrayLength and maxStringLength option (@​chojs23)

Enhancements

• microservices
  • #​16286 feat(microservices): support per-handler qos in mqtt (@​suuuuuuminnnnnn)
  • #​16262 Feat/microservices configurable max buffer size (@​jobnow)
• common
  • #​16202 fix(common): exclude built-in primitives from strip proto keys (@​som14062005)

Dependencies

• platform-fastify
  • #​16282 fix(deps): update dependency fastify to v5.7.4 (@​renovate[bot])
• platform-express
  • #​16241 fix(deps): update dependency cors to v2.8.6 (@​renovate[bot])

Committers: 6

• Lee Donghyun (@​devizi0)
• Mykhailo Skrypsky (@​mixator)
• Neo (@​chojs23)
• Praveen Somasundaram (@​som14062005)
• Ricardo Gomes (@​jobnow)
• 조수민 (@​suuuuuuminnnnnn)

v11.1.12

Compare Source

v11.1.12 (2026-01-15)

Bug fixes

• common
  • #​16187 fix(common): regression in loading file-type under Windows OS (@​iamkanguk97)

Dependencies

• platform-ws
  • #​16161 chore(deps): bump ws from 8.18.3 to 8.19.0 (@​dependabot[bot])
• common
  • #​16155 fix(deps): update dependency file-type to v21.3.0 (@​renovate[bot])
• platform-fastify
  • #​16154 fix(deps): update dependency find-my-way to v9.4.0 (@​renovate[bot])

Committers: 3

• Antonio Tripodi (@​Tony133)
• KANGUK LEE (@​iamkanguk97)
• @​miso-kyoungminkim

v11.1.11

Compare Source

v11.1.11 (2025-12-29)

Bug fixes

• platform-fastify
  • #​16135 fix(platform-fastify): middie bypassing through decoded chars (@​kamilmysliwiec)
• core
  • #​16133 fix(core): add missing catch handler for forward-ref provider resolution (@​coti-z)

Dependencies

• platform-socket.io
  • #​16125 fix(deps): update dependency socket.io to v4.8.3 (@​renovate[bot])
  • #​16114 chore(deps): bump socket.io from 4.8.1 to 4.8.2 (@​dependabot[bot])
• platform-fastify
  • #​16130 fix(deps): update dependency @​fastify/static to v9 (@​renovate[bot])
• common
  • #​16127 chore(deps): bump file-type from 21.1.1 to 21.2.0 (@​dependabot[bot])

Committers: 3

• Himanshu Gupta (@​manureja64)
• Kamil Mysliwiec (@​kamilmysliwiec)
• coti (@​coti-z)

v11.1.10

Compare Source

v11.1.10 (2025-12-22)

Bug fixes

• core
  • #​16098 fix(core): instantiate nested transient providers in static context (@​mag123c)
  • #​16005 fix(core): resolve all providers when using resolve() with each option (@​malkovitc)
• microservices
  • #​16072 fix(microservices): fix grpc stream method return type (@​shash-hq)
• common
  • #​16077 fix(common): resolve file-type path explicitly (@​shash-hq)
  • #​16013 fix(common): Support fallbackToMimetype without buffer (@​chenjieya)

Enhancements

• common
  • #​16100 fix(common): improve error handling in FileTypeValidator (@​malkovitc)
  • #​16060 feat(common): add message property to file type validator (@​Jo-Minseok)
  • #​16079 fix: enhance ValidationPipe (@​liu-jin-yi)
• core
  • #​15721 feat(core): add Promise support for SSE handlers (@​pythonjsgo)
• microservices
  • #​15975 feat(microservices): add keepalive support for server side (@​OlegStrokan)
• common, core
  • #​15986 feat(core): add option for async logger compatibility (@​mag123c)

Dependencies

• platform-fastify
  • #​16041 fix(deps): update dependency @​fastify/cors to v11.2.0 (@​renovate[bot])
• platform-express
  • #​16002 fix(deps): update dependency express to v5.2.1 (@​renovate[bot])
• common
  • #​15948 chore(deps): bump file-type from 21.1.0 to 21.1.1 (@​dependabot[bot])

Committers: 11

• Alexander (@​pythonjsgo)
• J_Coder (@​Jo-Minseok)
• Luke Son (@​KAPUIST)
• Oleh Strokan (@​OlegStrokan)
• Praveen Somasundaram (@​som14062005)
• Shashank (@​shash-hq)
• @​chenjieya
• @​giorgikakauridze
• @​mag123c
• chernomortsev evgeny (@​malkovitc)
• liu-jin-yi (@​liu-jin-yi)

v11.1.9

Compare Source

v11.1.9 (2025-11-14)

Bug fixes

• core
  • #​15865 fix(core): make get() throw for implicitly request-scoped trees (@​JoeNutt)

Enhancements

• common
  • #​15863 feat(common): add method options to @​sse decorator (@​TomerSteinberg)

Dependencies

• platform-fastify
  • #​15899 chore(deps): bump fastify from 5.6.1 to 5.6.2 (@​dependabot[bot])

Committers: 4

• Rami (@​JoeNutt)
• Rhynel Algopera (@​dev-rhynel)
• Tomer Steinberg (@​TomerSteinberg)
• WuMingDao (@​WuMingDao)

v11.1.8

Compare Source

v11.1.8 (2025-10-27)

Bug fixes

• core
  • #​15815 fix(core): ensure nested transient provider isolation (@​mag123c)
• platform-fastify
  • #​15831 fix(fastify): Migrate fastify top-level options to routerOptions (@​kim-sung-jee)

Committers: 2

• JaeHo Jang (@​mag123c)
• Seongjee Kim (@​kim-sung-jee)

v11.1.7

Compare Source

v11.1.7 (2025-10-21)

Bug fixes

• microservices
  • #​15747 Fix/rmq microservice fanout bind (@​slon2015)
• platform-fastify
  • #​15732 fix: correct parameter type in RouteConstraints decorator (@​thedv91)
• core
  • #​15571 fix(core): skip lifecycle hooks for non-instantiated transient services (@​mag123c)
• common
  • #​15577 Add color allowance check to console logger options (@​kerryChen95)

Enhancements

• common, platform-socket.io, websockets
  • #​15543 feat(websockets): allow manual acknowledgement handling with @​Ack() decorator (@​kim-sung-jee)
• common
  • #​15705 fix(core): resolve extras in configurable module builder async methods (@​mag123c)
• common, core
  • #​15503 feat(common): add force-console option to console logger (@​mag123c)
• core
  • #​15588 fix(core): improve dependency resolution error messages (@​at7211)
• microservices
  • #​15598 feat(errors): add InvalidTcpDataReceptionException for handling TCP receive errors​ (@​ghyghoo8)

Dependencies

• platform-fastify
  • #​15664 chore(deps): bump fastify to 5.6.1 (@​dependabot[bot])
• core, platform-express, platform-fastify
  • #​15622 fix(deps): update dependency path-to-regexp to v8.3.0 (@​renovate[bot])
• common
  • #​15566 chore(deps): bump load-esm from 1.0.2 to 1.0.3 (@​dependabot[bot])

Committers: 9

• Harry (@​thedv91)
• JaeHo Jang (@​mag123c)
• Jay-Chou (@​at7211)
• Kerry (@​kerryChen95)
• Micael Levi L. Cavalcante (@​micalevisk)
• Seongjee Kim (@​kim-sung-jee)
• SerafimGerasimov (@​slon2015)
• @​Olexandr88
• ghy (@​ghyghoo8)

v11.1.6

Compare Source

v11.1.6 (2025-08-07)

Bug fixes

• core
  • #​15504 fix(core): fix race condition in class dependency resolution from imported modules (@​hajekjiri)
  • #​15469 fix(core): attach root inquirer for nested transient providers (@​kamilmysliwiec)
• microservices
  • #​15508 fix(microservices): report correct buffer length in exception (@​kim-sung-jee)
  • #​15492 fix(microservices): fix kafka serilization of class instances (@​LeonBiersch)

Dependencies

• platform-fastify
  • #​15493 chore(deps): bump @​fastify/cors from 11.0.1 to 11.1.0 (@​dependabot[bot])

Committers: 6

• Jiri Hajek (@​hajekjiri)
• Kamil Mysliwiec (@​kamilmysliwiec)
• Leon Biersch (@​LeonBiersch)
• Seongjee Kim (@​kim-sung-jee)
• @​premierbell
• pTr (@​ptrgits)

v11.1.5

Compare Source

v11.1.5 (2025-07-18)

Dependencies

• platform-express
  • #​15425 chore(deps): bump multer from 2.0.1 to 2.0.2 in /packages/platform-express (@​dependabot[bot])

v11.1.4

Compare Source

v11.1.4 (2025-07-16)

Bug fixes

• platform-fastify
  • #​15385 fix(testing): auto-init fastify adapter for middleware registration (@​mag123c)
• core, testing
  • #​15405 fix(core): fix race condition in class dependency resolution (@​hajekjiri)
• core
  • #​15333 fix(core): Make flattenRoutePath return a valid module (@​gentunian)
• microservices
  • #​15305 fix(microservices): Revisit RMQ pattern matching with wildcards (@​getlarge)
  • #​15250 fix(constants): update RMQ_DEFAULT_QUEUE to an empty string (@​EeeasyCode)

Enhancements

• platform-fastify
  • #​14789 feat(fastify): add decorator for custom schema (@​piotrfrankowski)
• common, core, microservices, platform-express, platform-fastify, websockets
  • #​15386 feat: enhance introspection capabilities (@​kamilmysliwiec)
• core
  • #​15374 feat: supporting fine async storage control (@​Farenheith)

Dependencies

• platform-ws
  • #​15350 chore(deps): bump ws from 8.18.2 to 8.18.3 (@​dependabot[bot])
• platform-fastify
  • #​15278 chore(deps): bump fastify from 5.3.3 to 5.4.0 (@​dependabot[bot])

Committers: 11

• Alexey Filippov (@​SocketSomeone)
• EFIcats (@​ext4cats)
• Edouard Maleix (@​getlarge)
• JaeHo Jang (@​mag123c)
• Jiri Hajek (@​hajekjiri)
• Kamil Mysliwiec (@​kamilmysliwiec)
• Khan / 이창민 (@​EeeasyCode)
• Peter F. (@​piotrfrankowski)
• Sebastian (@​gentunian)
• Thiago Oliveira Santos (@​Farenheith)
• jochong (@​jochongs)

---

Configuration

📅 Schedule: (in timezone Europe/Zurich)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.