CVE-2026-54281 - Nest Fastify trailing-slash middleware bypass
CVE-2026-54281 affects @nestjs/platform-fastify applications that rely on
MiddlewareConsumer.forRoutes() for access control. An unauthenticated client
can bypass that middleware on the Fastify adapter by appending a trailing slash
to the request URL.
The fix is not just a package bump. Repositories also need regression coverage for sensitive routes and should avoid relying on Nest middleware as the only authorization boundary for high-impact handlers.
When to use it
- A NestJS application uses the Fastify adapter and resolves
@nestjs/platform-fastify <=11.1.23. - Sensitive routes rely on
MiddlewareConsumer.forRoutes()for authentication, authorization, tenancy, billing, admin, or workflow controls. - Trailing-slash variants of protected routes are not covered by route tests.
- You need a bounded PR or triage note that upgrades the adapter and proves protected routes deny both slash forms.
Inputs
- Node manifests, lockfiles, workspaces, Nest app modules, Fastify adapter setup, Dockerfiles, SBOMs, deployment manifests, and generated reports.
MiddlewareConsumer,forRoutes, route guard, handler-level authorization, and sensitive route inventory.- Available install, route/auth tests, unit/e2e tests, lint, typecheck, build, SBOM, and dependency/security scan commands.
Affected versions
- Vulnerable:
@nestjs/platform-fastify <= 11.1.23 - Fixed:
11.1.24+ - Affected pattern: Fastify adapter plus
MiddlewareConsumer.forRoutes()protecting CRUD-style routes such as/resourceand/resource/:id
Indicator-of-exposure
- The repository resolves
@nestjs/platform-fastify <= 11.1.23. - Security-sensitive routes depend on
MiddlewareConsumer.forRoutes(). - Applications expose admin, tenant, billing, or workflow-control routes on the Fastify adapter.
Quick checks:
rg -n "@nestjs/platform-fastify|MiddlewareConsumer|forRoutes\\(|FastifyAdapter|consumer\\.apply|middleware" .
npm ls @nestjs/platform-fastify
pnpm why @nestjs/platform-fastify
yarn why @nestjs/platform-fastify
Do not validate by bypassing live production auth with crafted URLs.
Remediation strategy
- Upgrade
@nestjs/platform-fastifyto11.1.24+. - Add route tests that assert both
/pathand/path/enforce the same auth result. - Move critical authorization into guards, handlers, or service boundaries where middleware is currently the only control.
The prompt
Model context: this prompt was generated by GPT 5.5 Extra High reasoning.
You are remediating CVE-2026-54281 / GHSA-6v32-fjc9-9qf6, a Nest Fastify
middleware bypass where appending `/` can skip `MiddlewareConsumer.forRoutes()`
protections. Produce exactly one output:
- A reviewer-ready PR/change request that upgrades the Fastify adapter, adds
trailing-slash auth regressions, and hardens sensitive routes, or
- TRIAGE.md if this repository does not control an affected Nest Fastify app.
## Rules
- Scope only CVE-2026-54281 and directly related authorization paths.
- Treat session tokens, API keys, tenant data, and admin routes as sensitive.
- Do not hit live privileged routes with bypass probes.
- Do not auto-merge.
## Steps
1. Inventory every Nest application, workspace, image, and lockfile using the
Fastify adapter.
2. Determine whether any resolved `@nestjs/platform-fastify` version is
`<= 11.1.23`.
3. Search for `MiddlewareConsumer.forRoutes()` protections on sensitive routes.
4. If no controlled affected app exists, stop with `TRIAGE.md`.
5. Upgrade `@nestjs/platform-fastify` to `11.1.24+` and refresh lockfiles and
generated dependency artifacts.
6. Add safe regression coverage that checks protected routes both with and
without trailing slashes.
7. Add defense-in-depth authorization for high-impact handlers if middleware is
currently the only security boundary.
8. Add a PR body section named `CVE-2026-54281 operator actions` covering
versions before and after, which routes were retested, and where stronger
handler-level checks were added.
9. Run relevant validation: package install, tests, route/auth tests, linting,
typecheck, and dependency/security scans.
10. Use PR title:
`fix(sec): remediate CVE-2026-54281 in Nest Fastify middleware`.
## Stop conditions
- No affected Nest Fastify application is controlled here.
- Meaningful verification would require live unauthorized access attempts
against production systems.
- Fixing the route pattern requires external gateway ownership beyond this
repository.
Verification - what the reviewer looks for
- No controlled install resolves
@nestjs/platform-fastify <= 11.1.23. - Sensitive routes deny both
/pathand/path/to unauthorized callers. - Critical handlers no longer trust middleware as the only authorization layer.
Output contract
- Reviewer-ready PR upgrading
@nestjs/platform-fastifyto11.1.24+and refreshing lockfiles, images, SBOMs, and generated reports. - Regression tests proving protected routes deny unauthorized callers with and without trailing slashes.
- Defense-in-depth notes for guards, handlers, or service-boundary checks on high-impact routes.
TRIAGE.mdwhen route ownership or gateway behavior is outside this repository.
Watch for
- Upgrading the package but leaving stale image layers or lockfiles.
- Protecting collection routes but not item routes.
- Tests that assert only the happy path and never check slash variants.
Related recipes
- CVE-2026-50010 Netty hostname verification bypass
- SAST finding triage and fix
- CVE intelligence intake gate
References
- GitHub Advisory Database: https://github.com/advisories/GHSA-6v32-fjc9-9qf6
- Nest vendor advisory: https://github.com/nestjs/nest/security/advisories/GHSA-6v32-fjc9-9qf6