CVE-2026-33011

UNKNOWN 0.0

Nest Fastify HEAD Request Middleware Bypass

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

12th

Nest is a framework for building scalable Node.js server-side applications. In versions 11.1.15 and below, a NestJS application using @nestjs/platform-fastify GET middleware can be bypassed because Fastify automatically redirects HEAD requests to the corresponding GET handlers (if they exist). As a result: middleware will be completely skipped, the HTTP response won't include a body (since the response is truncated when redirecting a HEAD request to a GET handler), and the actual handler will still be executed. This issue is fixed in version 11.1.16.

CWE	CWE-670
Vendor	nestjs
Product	nest
Published	Mar 20, 2026
Last Updated	Mar 20, 2026

Stay Ahead of the Next One

Get instant alerts for nestjs nest

Be the first to know when new unknown vulnerabilities affecting nestjs nest are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

nestjs / nest

< 11.1.16

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/nestjs/nest/security/advisories/GHSA-wf42-42fg-fg84 github.com: https://github.com/nestjs/nest/commit/cbdf737cd6e7cefa52d05ecea2ae4af95c464614 github.com: https://github.com/nestjs/nest/releases/tag/v11.1.17