CVE-2026-54281
HighCVSS 8.7Exploitation Probability (EPSS)
Low risk20th percentile - higher than 20% of all known CVEs
Summary
In the Nest framework, prior to version 11.1.24, there was an authentication bypass vulnerability in @nestjs/platform-fastify. An unauthenticated client can bypass the Nest middleware by appending a trailing slash (/) to the request URL.
Risk Assessment
Organizations may be exposed to unauthorized access to resources, potentially leading to data leaks or other serious security incidents.
Recommendation
It is recommended to upgrade to version 11.1.24 or later to mitigate this vulnerability and to test the application for potential security gaps.
Original NVD description (English source)
Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.24, an authentication bypass vulnerability exists in @nestjs/platform-fastify. When middleware is registered through NestJS's MiddlewareConsumer.forRoutes() API on the Fastify adapter, an unauthenticated client can bypass the Nest middleware registered for that route by simply appending a trailing slash (/) to the request URL. This bypass works on the default Fastify adapter configuration. This vulnerability is fixed in 11.1.24.

