CVE Catalog

CVE-2026-54281

HighCVSS 8.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.29%

20th percentile - higher than 20% of all known CVEs

Summary

In the Nest framework, prior to version 11.1.24, there was an authentication bypass vulnerability in @nestjs/platform-fastify. An unauthenticated client can bypass the Nest middleware by appending a trailing slash (/) to the request URL.

Risk Assessment

Organizations may be exposed to unauthorized access to resources, potentially leading to data leaks or other serious security incidents.

Recommendation

It is recommended to upgrade to version 11.1.24 or later to mitigate this vulnerability and to test the application for potential security gaps.

Original NVD description (English source)

Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.24, an authentication bypass vulnerability exists in @nestjs/platform-fastify. When middleware is registered through NestJS's MiddlewareConsumer.forRoutes() API on the Fastify adapter, an unauthenticated client can bypass the Nest middleware registered for that route by simply appending a trailing slash (/) to the request URL. This bypass works on the default Fastify adapter configuration. This vulnerability is fixed in 11.1.24.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS