CVE-2026-54281

Name of the Vulnerable Software and Affected Versions @nestjs/platform-fastify versions prior to 11.1.24

Description An authentication bypass exists in the Fastify adapter when middleware is registered through the MiddlewareConsumer.forRoutes() API. An unauthenticated client can bypass registered middleware, such as authentication guards, rate limiting, or logging, by appending a trailing slash (/) to the request URL. This issue occurs with the default Fastify adapter configuration and specifically affects applications using standard CRUD route shapes, such as 'GET /resource' and 'GET /resource/:id'.

Recommendations Update to version 11.1.24.