CVE-2025-69211
6.90.14%
The Invisible Path: Bypassing NestJS Middleware with URL Encoding
Alon Barad
Software EngineerJan 1, 2026·5 min read·8 visits
PoC Available
Executive Summary (TL;DR)
If you are using NestJS with Fastify, your middleware might be blind. An attacker can access protected routes like `/admin` by requesting `/%61dmin`. The middleware sees a mismatch and ignores it, but the underlying Fastify router decodes it and serves the restricted content. Patch immediately to version 11.1.11.
A critical normalization discrepancy in the NestJS Fastify adapter allows attackers to bypass middleware security checks simply by URL-encoding characters in the request path.
Fix Analysis (1)
Technical Appendix
CVSS Score
6.9/ 10
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:NEPSS Probability
0.14%
Top 100% most exploited
Affected Systems
NestJS applications using @nestjs/platform-fastifyNode.js web applications relying on path-based middleware
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
@nestjs/platform-fastify NestJS | < 11.1.11 | 11.1.11 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-367 (Time-of-Check Time-of-Use) |
| CVSS Score | 6.9 (Medium) |
| Attack Vector | Network (URL Encoding) |
| Impact | Security Bypass / Authorization Bypass |
| Affected Component | @nestjs/platform-fastify |
| Fix Version | 11.1.11 |
MITRE ATT&CK Mapping
CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition
The product checks the state of a resource before using it, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
Known Exploits & Detection
Vulnerability Timeline
Patch commit pushed to GitHub
2025-02-01
Vulnerability Analysis Published
2025-02-14