CVE-2026-54281 - Nest Fastify trailing-slash middleware bypass

CVE-2026-54281 affects @nestjs/platform-fastify applications that rely on MiddlewareConsumer.forRoutes() for access control. An unauthenticated client can bypass that middleware on the Fastify adapter by appending a trailing slash to the request URL.

The fix is not just a package bump. Repositories also need regression coverage for sensitive routes and should avoid relying on Nest middleware as the only authorization boundary for high-impact handlers.

When to use it

  • A NestJS application uses the Fastify adapter and resolves @nestjs/platform-fastify <=11.1.23.
  • Sensitive routes rely on MiddlewareConsumer.forRoutes() for authentication, authorization, tenancy, billing, admin, or workflow controls.
  • Trailing-slash variants of protected routes are not covered by route tests.
  • You need a bounded PR or triage note that upgrades the adapter and proves protected routes deny both slash forms.

Inputs

  • Node manifests, lockfiles, workspaces, Nest app modules, Fastify adapter setup, Dockerfiles, SBOMs, deployment manifests, and generated reports.
  • MiddlewareConsumer, forRoutes, route guard, handler-level authorization, and sensitive route inventory.
  • Available install, route/auth tests, unit/e2e tests, lint, typecheck, build, SBOM, and dependency/security scan commands.

Affected versions

  • Vulnerable: @nestjs/platform-fastify <= 11.1.23
  • Fixed: 11.1.24+
  • Affected pattern: Fastify adapter plus MiddlewareConsumer.forRoutes() protecting CRUD-style routes such as /resource and /resource/:id

Indicator-of-exposure

  • The repository resolves @nestjs/platform-fastify <= 11.1.23.
  • Security-sensitive routes depend on MiddlewareConsumer.forRoutes().
  • Applications expose admin, tenant, billing, or workflow-control routes on the Fastify adapter.

Quick checks:

rg -n "@nestjs/platform-fastify|MiddlewareConsumer|forRoutes\\(|FastifyAdapter|consumer\\.apply|middleware" .
npm ls @nestjs/platform-fastify
pnpm why @nestjs/platform-fastify
yarn why @nestjs/platform-fastify

Do not validate by bypassing live production auth with crafted URLs.

Remediation strategy

  • Upgrade @nestjs/platform-fastify to 11.1.24+.
  • Add route tests that assert both /path and /path/ enforce the same auth result.
  • Move critical authorization into guards, handlers, or service boundaries where middleware is currently the only control.

The prompt

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2026-54281 / GHSA-6v32-fjc9-9qf6, a Nest Fastify
middleware bypass where appending `/` can skip `MiddlewareConsumer.forRoutes()`
protections. Produce exactly one output:

- A reviewer-ready PR/change request that upgrades the Fastify adapter, adds
  trailing-slash auth regressions, and hardens sensitive routes, or
- TRIAGE.md if this repository does not control an affected Nest Fastify app.

## Rules

- Scope only CVE-2026-54281 and directly related authorization paths.
- Treat session tokens, API keys, tenant data, and admin routes as sensitive.
- Do not hit live privileged routes with bypass probes.
- Do not auto-merge.

## Steps

1. Inventory every Nest application, workspace, image, and lockfile using the
   Fastify adapter.
2. Determine whether any resolved `@nestjs/platform-fastify` version is
   `<= 11.1.23`.
3. Search for `MiddlewareConsumer.forRoutes()` protections on sensitive routes.
4. If no controlled affected app exists, stop with `TRIAGE.md`.
5. Upgrade `@nestjs/platform-fastify` to `11.1.24+` and refresh lockfiles and
   generated dependency artifacts.
6. Add safe regression coverage that checks protected routes both with and
   without trailing slashes.
7. Add defense-in-depth authorization for high-impact handlers if middleware is
   currently the only security boundary.
8. Add a PR body section named `CVE-2026-54281 operator actions` covering
   versions before and after, which routes were retested, and where stronger
   handler-level checks were added.
9. Run relevant validation: package install, tests, route/auth tests, linting,
   typecheck, and dependency/security scans.
10. Use PR title:
    `fix(sec): remediate CVE-2026-54281 in Nest Fastify middleware`.

## Stop conditions

- No affected Nest Fastify application is controlled here.
- Meaningful verification would require live unauthorized access attempts
  against production systems.
- Fixing the route pattern requires external gateway ownership beyond this
  repository.

Verification - what the reviewer looks for

  • No controlled install resolves @nestjs/platform-fastify <= 11.1.23.
  • Sensitive routes deny both /path and /path/ to unauthorized callers.
  • Critical handlers no longer trust middleware as the only authorization layer.

Output contract

  • Reviewer-ready PR upgrading @nestjs/platform-fastify to 11.1.24+ and refreshing lockfiles, images, SBOMs, and generated reports.
  • Regression tests proving protected routes deny unauthorized callers with and without trailing slashes.
  • Defense-in-depth notes for guards, handlers, or service-boundary checks on high-impact routes.
  • TRIAGE.md when route ownership or gateway behavior is outside this repository.

Watch for

  • Upgrading the package but leaving stale image layers or lockfiles.
  • Protecting collection routes but not item routes.
  • Tests that assert only the happy path and never check slash variants.

References