CVE-2025-69211

The Invisible Path: Bypassing NestJS Middleware with URL Encoding

Alon Barad
Alon Barad
Software Engineer

Jan 1, 2026·5 min read·4 visits

Executive Summary (TL;DR)

If you are using NestJS with Fastify, your middleware might be blind. An attacker can access protected routes like `/admin` by requesting `/%61dmin`. The middleware sees a mismatch and ignores it, but the underlying Fastify router decodes it and serves the restricted content. Patch immediately to version 11.1.11.

A critical normalization discrepancy in the NestJS Fastify adapter allows attackers to bypass middleware security checks simply by URL-encoding characters in the request path.

Official Patches

NestJSCommit fixing the URL decoding logic in fastify-middie adapter

Fix Analysis (1)

Technical Appendix

CVSS Score
6.9/ 10
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N
EPSS Probability
0.14%
Top 100% most exploited

Affected Systems

NestJS applications using @nestjs/platform-fastifyNode.js web applications relying on path-based middleware

Affected Versions Detail

Product
Affected Versions
Fixed Version
@nestjs/platform-fastify
NestJS
< 11.1.1111.1.11
AttributeDetail
CWE IDCWE-367 (Time-of-Check Time-of-Use)
CVSS Score6.9 (Medium)
Attack VectorNetwork (URL Encoding)
ImpactSecurity Bypass / Authorization Bypass
Affected Component@nestjs/platform-fastify
Fix Version11.1.11

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1027Obfuscated Files or Information
Defense Evasion
CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition

The product checks the state of a resource before using it, but the resource's state can change between the check and the use in a way that invalidates the results of the check.

Known Exploits & Detection

GitHub Commit TestThe patch itself includes a reproduction test case demonstrating the bypass using '%69ncluded'.

Vulnerability Timeline

Patch commit pushed to GitHub
2025-02-01
Vulnerability Analysis Published
2025-02-14