NestJS @nestjs/platform-fastify GET Middleware Bypass Vulnerability

Vulnerability

A vulnerability exists in NestJS applications using the @nestjs/platform-fastify package, in versions 11.1.15 and prior. The issue arises because Fastify redirects HEAD requests to their corresponding GET handlers, bypassing any middleware that would normally be applied. This redirection causes the response to lack a body, as HEAD responses are truncated, while still allowing the actual handler to execute. Consequently, the middleware is completely skipped, which could lead to unintended behavior in the application.

Impact

Exploitation of this vulnerability allows for the bypassing of GET middleware in Fastify, causing middleware to be skipped entirely, and disrupting the expected response by omitting the body.

Reproduction

To reproduce this vulnerability, create a NestJS application that uses the @nestjs/platform-fastify package. Define a GET route with middleware applied. Then, send a HEAD request to the route. The Fastify framework will automatically redirect the HEAD request to the GET handler, bypassing the middleware. The response will not include a body, and the GET handler will be executed as usual, but without the middleware processing.

Remediation

Users can upgrade to @nestjs/platform-fastify version 11.1.16 or later to address this vulnerability.

Added: Mar 20, 2026, 5:23 AM
Updated: Mar 20, 2026, 5:23 AM

Vulnerability Rating

Custom Algorithm
spread
5.2
impact
1.3
exploitability
8.2
remediation
7.7
relevance
2.8
threat
4.8
urgency
2.9
incentive
4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.