CVE-2026-54281
Nest: Middleware Bypass on Fastify via Trailing Slash
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.24, an authentication bypass vulnerability exists in @nestjs/platform-fastify. When middleware is registered through NestJS's MiddlewareConsumer.forRoutes() API on the Fastify adapter, an unauthenticated client can bypass the Nest middleware registered for that route by simply appending a trailing slash (/) to the request URL. This bypass works on the default Fastify adapter configuration. This vulnerability is fixed in 11.1.24.
| CWE | CWE-863 |
| Vendor | nestjs |
| Product | nest |
| Published | Jun 22, 2026 |
Stay Ahead of the Next One
Get instant alerts for nestjs nest
Be the first to know when new unknown vulnerabilities affecting nestjs nest are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
nestjs / nest
< 11.1.24