CVE-2025-69211: Nest has a Fastify URL Encoding Middleware Bypass (TOCTOU)
A NestJS application is vulnerable if it meets all of the following criteria:
- Platform: Uses
@nestjs/platform-fastify. - Security Mechanism: Relies on
NestMiddleware(viaMiddlewareConsumer) for security checks (authentication, authorization, etc.), or throughapp.use() - Routing: Applies middleware to specific routes using string paths or controllers (e.g.,
.forRoutes('admin')). Example Vulnerable Config:
// app.module.ts
export class AppModule implements NestModule {
configure(consumer: MiddlewareConsumer) {
consumer
.apply(AuthMiddleware) // Security check
.forRoutes('admin'); // Vulnerable: Path-based restriction
}
}
Attack Vector:
- Target Route:
/admin - Middleware Path:
admin - Attack Request:
GET /%61dmin - Result: Middleware is skipped (no match on
%61dmin), but controller for/adminis executed.
Consequences:
- Authentication Bypass: Unauthenticated users can access protected routes.
- Authorization Bypass: Restricted administrative endpoints become accessible to lower-privileged users.
- Input Validation Bypass: Middleware performing sanitization or validation can be skipped.
References
Code Behaviors & Features
Detect and mitigate CVE-2025-69211 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →