Middleware Bypass Vulnerability in NestJS Fastify Framework
CVE-2026-33011

8.7HIGH

Key Information:

Vendor

Nestjs

Status
Nest
Vendor
CVE Published:
20 March 2026

What is CVE-2026-33011?

In NestJS versions 11.1.15 and earlier, a vulnerability exists within the @nestjs/platform-fastify GET middleware that allows it to be bypassed. This occurs due to Fastify's behavior of automatically redirecting HEAD requests to their corresponding GET handlers, bypassing the middleware entirely. Consequently, the HTTP response omits a body because it is truncated when a HEAD request is redirected to a GET handler. The underlying handler is still executed, potentially exposing sensitive logic or data. This issue has been addressed in version 11.1.16.

Affected Version(s)

nest < 11.1.16

References

https://github.com/nestjs/nest/security/advisories/GHSA-w...
x_refsource_CONFIRM
https://github.com/nestjs/nest/commit/cbdf737cd6e7cefa52d...
x_refsource_MISC
https://github.com/nestjs/nest/releases/tag/v11.1.17
x_refsource_MISC

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.