Advisories for Npm/@Nestjs/Platform-Fastify package

What kind of vulnerability is it? Who is impacted? A NestJS application using @nestjs/platform-fastify can allow bypass of any middleware when Fastify path-normalization options (e.g., ignoreTrailingSlash, ignoreDuplicateSlashes, useSemicolonDelimiter) are enabled. In affected route-scoped middleware setups, variant paths may skip middleware checks while still reaching the protected handler. The bug is a path canonicalization mismatch between middleware matching and route matching in Nest’s Fastify adapter. Nest passes Fastify routerOptions (such as …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-r4wm-x892-vjmx. This link is maintained to preserve external references. Original Description A NestJS application using @nestjs/platform-fastify can allow bypass of authentication/authorization middleware when Fastify path-normalization options are enabled. This issue affects nest.Js: 11.1.13.

A NestJS application is vulnerable if it meets all of the following criteria: Platform: Uses @nestjs/platform-fastify. Security Mechanism: Relies on NestMiddleware (via MiddlewareConsumer) for security checks (authentication, authorization, etc.), or through app.use() Routing: Applies middleware to specific routes using string paths or controllers (e.g., .forRoutes('admin')). Example Vulnerable Config: // app.module.ts export class AppModule implements NestModule { configure(consumer: MiddlewareConsumer) { consumer .apply(AuthMiddleware) // Security check .forRoutes('admin'); // Vulnerable: Path-based restriction } …