CVE-2026-2293: Path Canonicalization Bypass in NestJS Fastify Adapter

CVE-2026-2293 represents a critical breakdown in the request processing pipeline of NestJS applications utilizing the Fastify platform adapter. The core issue is a Path Canonicalization Mismatch (CWE-436), commonly referred to as Differential Normalization. In a layered web architecture, security controls (middleware) and request routing often operate as distinct components. When these components disagree on the interpretation of a URL path, security gaps emerge.

In the specific context of NestJS, the framework provides a middleware engine responsible for executing logic—such as authentication guards, logging, or input validation—before a request reaches its final route handler. This engine determines applicability by matching the incoming request path against defined patterns. However, the @nestjs/platform-fastify adapter historically performed this matching against the raw, unnormalized URL (req.originalUrl).

Conversely, the underlying Fastify server is highly configurable regarding URL normalization. It can be instructed to ignore trailing slashes, merge duplicate slashes, or ignore case sensitivity. When Fastify normalizes a request to route it, but NestJS fails to normalize the request before checking middleware applicability, a bypass occurs. The middleware assumes the request does not match the protected route and allows it to proceed, while Fastify subsequently routes the request to the sensitive endpoint.

The vulnerability is rooted in the decoupling of the middleware matching logic from the router's normalization logic. The NestJS middleware dispatcher relies on regular expressions generated from route paths to decide whether to execute a specific middleware. Prior to version 11.1.14, this regex matching was performed against the raw request string without accounting for the specific normalization configuration of the Fastify instance.

Technically, the failure mechanism works as follows:

1. Configuration: The Fastify instance is configured with ignoreDuplicateSlashes: true. This tells Fastify that //api and /api are semantically identical.
2. Definition: A developer defines a middleware scoped to the route /api/private.
3. Matching Logic: NestJS converts /api/private into a strict regular expression (e.g., ^/api/private).
4. Incoming Request: An attacker sends a request to //api/private.
5. The Mismatch: The NestJS middleware engine compares the raw string //api/private against the regex ^/api/private. The match fails because of the leading double slash.
6. Fail-Open: Because the match fails, the middleware is skipped (fail-open design).
7. Routing: The request passes to Fastify. Fastify applies its normalization rules, converting //api/private to /api/private, and successfully dispatches the request to the route handler.

The fix for CVE-2026-2293 introduces a synchronization mechanism between the Fastify adapter's configuration and the URL seen by the middleware matcher. The patch was applied in packages/platform-fastify/adapters/fastify-adapter.ts.

Vulnerable Logic (Conceptual): Previously, the adapter passed the raw request URL directly to the middleware container. There was no pre-processing step to align the URL with Fastify's internal router logic.

Patched Logic: The fix introduces a sanitizeUrl method. This method inspects the FastifyServerOptions (specifically routerOptions) and manually applies the same transformations that Fastify would apply later in the lifecycle.

// Analysis of the fix in FastifyAdapter
 
private sanitizeUrl(url: string): string {
  const initialConfig = this.instance.initialConfig as FastifyServerOptions;
  const routerOptions = initialConfig.routerOptions as Partial<FastifyServerOptions>;
 
  // Replicating 'ignoreDuplicateSlashes'
  if (routerOptions.ignoreDuplicateSlashes || initialConfig.ignoreDuplicateSlashes) {
    url = this.removeDuplicateSlashes(url);
  }
 
  // Replicating 'ignoreTrailingSlash'
  if (routerOptions.ignoreTrailingSlash || initialConfig.ignoreTrailingSlash) {
    url = this.trimLastSlash(url);
  }
 
  // Replicating 'caseSensitive'
  if (routerOptions.caseSensitive === false || initialConfig.caseSensitive === false) {
    url = url.toLowerCase();
  }
 
  // Decoding URI components to match router expectations
  return safeDecodeURI(
    url,
    routerOptions.useSemicolonDelimiter || initialConfig.useSemicolonDelimiter,
  ).path;
}

By ensuring the URL is sanitized before the middleware regex runs, NestJS ensures that any request Fastify would consider a match is also considered a match by the security middleware.

Exploitation of this vulnerability is trivial and requires no authentication or special tools. The attacker merely needs to identify endpoints protected by middleware and manipulate the URL path based on the server's configuration.

Scenario 1: Duplicate Slashes If ignoreDuplicateSlashes: true (often default or common configuration):

• Target: GET /admin/delete-user
• Payload: GET //admin/delete-user
• Result: Middleware for /admin is bypassed; Controller for /admin/delete-user executes.

Scenario 2: Case Sensitivity If caseSensitive: false:

• Target: GET /api/v1/secure
• Payload: GET /API/v1/SECURE
• Result: Case-sensitive regex in middleware fails; Fastify case-insensitive router succeeds.

Exploit Flow Diagram:

The impact is direct Access Control Bypass. Since NestJS relies heavily on Guards and Interceptors for authorization, bypassing these layers grants full access to the underlying business logic.

The impact of CVE-2026-2293 is rated High (CVSS 8.2) because it completely undermines the integrity of the application's authorization model. While the vulnerability requires specific Fastify configurations to be exploitable, these configurations are common in production environments to ensure user-friendly URL handling.

• Confidentiality: High. Attackers can access sensitive data endpoints (e.g., user records, financial data) that should be protected behind authentication guards.
• Integrity: High. Attackers can trigger state-changing operations (e.g., deletion, updates) on protected resources.
• Availability: Low/None. The vulnerability primarily facilitates unauthorized access rather than denial of service.

The vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N highlights that the attack is network-adjacent, low complexity, but requires specific attack requirements (AT:P, referring to the Fastify configuration prerequisites).