CVE-2026-33011: Nest Fastify HEAD Request Middleware Bypass

Published Mar 17, 2026
·
Updated

### Impact In a NestJS application using `@nestjs/platform-fastify`, GET middleware can be bypassed because Fastify automatically redirects HEAD requests to the corresponding GET handlers (if they exist). As a result: - Middleware will be completely skipped. - The HTTP response won't include a body (since the response is truncated when redirecting a HEAD request to a GET handler). - The actual handler will still be executed. ### Patches Fixed in `@nestjs/platform-fastify@11.1.16`

Affected Software

2 affected componentsFixes available
npm/@nestjs/platform-fastify<=11.1.15
11.1.16
nestjs Nest Node.js<11.1.16

Remediation

Patch Available

https://github.com/nestjs/nest/commit/cbdf737cd6e7cefa52d05ecea2ae4af95c464614

Event History

Mar 17, 2026
Advisory Published
via GitHub·06:38 PM
Data Sourced
via GitHub·06:38 PM
DescriptionWeaknessAffected Software
Mar 20, 2026
CVE Published
via MITRE·04:37 AM
Data Sourced
via MITRE·04:37 AM
DescriptionWeakness
Data Sourced
via NVD·05:16 AM
RemedyDescriptionSeverityWeaknessAffected Software
Mar 31, 58197
Event
via FIRST·11:26 AM
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-33011?

The CVE-2026-33011 vulnerability is considered to have a moderate severity due to its ability to bypass middleware in NestJS applications.

2

How do I fix CVE-2026-33011?

To fix CVE-2026-33011, update the @nestjs/platform-fastify package to version 11.1.16 or later.

3

What type of applications are affected by CVE-2026-33011?

CVE-2026-33011 affects NestJS applications using the @nestjs/platform-fastify package.

4

What specific feature of Fastify contributes to CVE-2026-33011?

CVE-2026-33011 is caused by Fastify automatically redirecting HEAD requests to their corresponding GET handlers, bypassing middleware.

5

What are the potential consequences of CVE-2026-33011?

The potential consequences of CVE-2026-33011 include skipped middleware execution and changes to the expected HTTP response.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203