DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-2293: CVE-2026-2293: Path Canonicalization Bypass in NestJS Fastify Adapter

#security #cve #cybersecurity

CVE-2026-2293: Path Canonicalization Bypass in NestJS Fastify Adapter

Vulnerability ID: CVE-2026-2293
CVSS Score: 8.2
Published: 2026-03-02

A high-severity path canonicalization vulnerability exists in the @nestjs/platform-fastify adapter of the NestJS framework. The vulnerability arises from a discrepancy between how the NestJS middleware engine matches routes (using raw URLs) and how the underlying Fastify router handles requests (using normalized URLs). This 'Differential Normalization' allows remote attackers to bypass route-scoped authentication and authorization middleware by crafting malformed URLs (e.g., containing double slashes or casing variations) that fail middleware regex matching but are successfully routed to protected controllers.

TL;DR

CVE-2026-2293 allows unauthenticated attackers to bypass NestJS middleware guards when using the Fastify adapter. By exploiting differences in URL normalization, attackers can access protected endpoints using manipulated paths like //admin or /ADMIN. Fixed in version 11.1.14.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-436
  • Attack Vector: Network
  • CVSS Score: 8.2 (High)
  • EPSS Score: 0.11%
  • Impact: Authorization Bypass
  • Exploit Status: Proof of Concept Available

Affected Systems

  • NestJS Framework
  • @nestjs/platform-fastify
  • Node.js Applications using Fastify
  • @nestjs/platform-fastify: < 11.1.14 (Fixed in: 11.1.14)

Code Analysis

Commit: fd8d073

fix(fastify): sanitize url before processing middleware (v11)

private sanitizeUrl(url: string): string { ... }
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub: Patch regression tests demonstrate the exploit methodology

Mitigation Strategies

  • Dependency Upgrade
  • Configuration Hardening
  • Defense in Depth

Remediation Steps:

  1. Update @nestjs/platform-fastify and core NestJS packages to version 11.1.14 or later immediately.
  2. If immediate patching is not feasible, explicitly disable loose normalization in the Fastify adapter configuration.
  3. Set ignoreDuplicateSlashes: false in the FastifyAdapter options.
  4. Set ignoreTrailingSlash: false in the FastifyAdapter options.
  5. Ensure caseSensitive is set to true (default in some versions, but explicit definition is safer).

References

Read the full report for CVE-2026-2293 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)