The Invisible Path: Bypassing NestJS Middleware with URL Encoding
Vulnerability ID: CVE-2025-69211
CVSS Score: 6.9
Published: 2025-12-30
A critical normalization discrepancy in the NestJS Fastify adapter allows attackers to bypass middleware security checks simply by URL-encoding characters in the request path.
TL;DR
If you are using NestJS with Fastify, your middleware might be blind. An attacker can access protected routes like /admin by requesting /%61dmin. The middleware sees a mismatch and ignores it, but the underlying Fastify router decodes it and serves the restricted content. Patch immediately to version 11.1.11.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-367 (Time-of-Check Time-of-Use)
- CVSS Score: 6.9 (Medium)
- Attack Vector: Network (URL Encoding)
- Impact: Security Bypass / Authorization Bypass
- Affected Component: @nestjs/platform-fastify
- Fix Version: 11.1.11
Affected Systems
- NestJS applications using @nestjs/platform-fastify
- Node.js web applications relying on path-based middleware
-
@nestjs/platform-fastify: < 11.1.11 (Fixed in:
11.1.11)
Code Analysis
Commit: c4cedda
fix(fastify): decode url before matching middleware (support fastify v5)
const decodedUrl = safeDecodeURI(url).path;
const result = regexp.exec(decodedUrl);
Exploit Details
- GitHub Commit Test: The patch itself includes a reproduction test case demonstrating the bypass using '%69ncluded'.
Mitigation Strategies
- Update Dependencies
- Architectural Refactoring
Remediation Steps:
- Run
npm update @nestjs/platform-fastifyto ensure you are on version 11.1.11 or higher. - Audit your codebase for usage of
MiddlewareConsumerspecifically for security checks (AuthN/AuthZ). - Refactor security middleware into NestJS Guards (
CanActivateinterface) where possible, as Guards operate on the execution context rather than path matching.
References
Read the full report for CVE-2025-69211 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)