CVE-2026-2293: NestJS 11.1.13 - Lack of data validation allowing authentication/authorization bypass

Published Feb 27, 2026
·
Updated

### Impact _What kind of vulnerability is it? Who is impacted?_ A NestJS application using `@nestjs/platform-fastify` can allow bypass of any middleware when Fastify path-normalization options (e.g., `ignoreTrailingSlash`, `ignoreDuplicateSlashes`, `useSemicolonDelimiter`) are enabled. In affected route-scoped middleware setups, variant paths may skip middleware checks while still reaching the protected handler. The bug is a path canonicalization mismatch between middleware matching and route matching in Nest’s Fastify adapter. Nest passes Fastify routerOptions (such as `ignoreTrailingSlash`, `ignoreDuplicateSlashes`, `useSemicolonDelimiter`) to the Fastify router in packages/platform-fastify/adapters/fastify-adapter.ts:253. But middleware execution is decided by a separate regex check over `req.originalUrl` in packages/platform-fastify/adapters/fastify-adapter.ts:706 and packages/platform-fastify/adapters/fastify-adapter.ts:713. If that regex does not match, Nest does `next()` and skips the middleware (packages/platform-fastify/adapters/fastify-adapter.ts:714), while Fastify may still normalize the same path and route it to the protected handler. So the vulnerability exists because security checks (middleware) and request dispatch(router) use different URL interpretations. This is a fail-open design issue (inconsistent normalization), not just a bad app config: non-default router options make the mismatch reachable. ### Patches Fixed in `@nestjs/platform-fastify@11.1.14` ### References Credit goes to Fluidattacks ([Cristian Vargas](https://www.linkedin.com/in/cvmiracle/)) https://fluidattacks.com/advisories/neton

Affected Software

3 affected componentsFixes available
npm/@nestjs/platform-fastify
npm/@nestjs/platform-fastify<=11.1.13
11.1.14
nestjs Nest Node.js=11.1.13

Event History

Feb 27, 2026
CVE Published
via MITRE·04:15 PM
Data Sourced
via MITRE·04:15 PM
DescriptionWeakness
Data Sourced
via NVD·05:16 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·05:16 PM
Affected Software
Mar 2, 2026
Advisory Published
via GitHub·02:34 PM
Data Sourced
via GitHub·02:34 PM
DescriptionWeaknessAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-2293?

CVE-2026-2293 is classified as a high severity vulnerability due to its potential for authentication and authorization bypass.

2

How do I fix CVE-2026-2293?

To mitigate CVE-2026-2293, upgrade to a patched version of NestJS, specifically version 11.1.14 or later.

3

What impact does CVE-2026-2293 have on my application?

CVE-2026-2293 allows unauthorized access, which could lead to data breaches or unauthorized actions within your application.

4

Which versions of NestJS are affected by CVE-2026-2293?

CVE-2026-2293 affects NestJS version 11.1.13 and earlier.

5

Is CVE-2026-2293 specific to certain configurations?

Yes, CVE-2026-2293 is specifically a concern when Fastify path-normalization options are enabled in the NestJS application.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203