PT-2026-22347 · Fastify+2 · Fastify+2

Cristian Vargas

Published

2026-02-27

Updated

2026-04-14

CVE-2026-2293

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Nest.js version 11.1.13

Description A NestJS application utilizing the @nestjs/platform-fastify package may experience a bypass of authentication and authorization middleware when Fastify path-normalization options are enabled. This can potentially allow unauthorized access to protected resources.

Recommendations Ensure Fastify path-normalization options are disabled in NestJS applications using @nestjs/platform-fastify.

Exploit

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863

Related Identifiers

CVE-2026-2293

GHSA-7Q64-3RG2-H9PF

GHSA-R4WM-X892-VJMX

Affected Products

@Nestjs/Platform-Fastify

Fastify

Nestjs

PT-2026-22347 · Fastify+2 · Fastify+2

CVE-2026-2293

Weakness Enumeration

Related Identifiers

Affected Products

References · 12