NestJS Authentication and Authorization Bypass Vulnerability in Fastify Adapter

A vulnerability in NestJS version 11.1.13, when using the Fastify platform, allows for authentication and authorization middleware bypass. This occurs because of a path normalization mismatch between how Fastify routes are processed and how middleware checks are applied. When certain Fastify path-normalization options are enabled, such as ignoring trailing slashes and duplicate slashes, variant paths can bypass middleware while still reaching protected handlers. This issue is categorized as a lack of data validation, creating a fail-open design flaw where security checks are inconsistently applied.

Impact

Exploitation of this vulnerability can lead to unauthorized access to protected resources or functionalities, as the middleware intended to enforce authentication and authorization is bypassed.

Reproduction

To reproduce this vulnerability, first, set up a NestJS application using version 11.1.13 with the Fastify platform. Enable Fastify's path-normalization options, such as ignoreTrailingSlash and ignoreDuplicateSlashes. Then, create route-scoped middleware that checks for authentication or authorization. Send requests with variant paths that exploit the path normalization options, such as those that duplicate slashes or omit trailing slashes, while including an authorization header. The request should bypass the middleware checks and access the protected handler, demonstrating the vulnerability.

Remediation

Users can update to NestJS version 11.1.14, which addresses this vulnerability by fixing the middleware bypass issue. The updated version is available on the NestJS GitHub Releases page.