CVE-2026-2293 Overview
A NestJS application using @nestjs/platform-fastify can allow bypass of authentication/authorization middleware when Fastify path-normalization options are enabled. This authorization bypass vulnerability (CWE-863) affects NestJS version 11.1.13 and allows unauthenticated attackers to access protected resources by manipulating URL paths.
Critical Impact
Attackers can bypass authentication and authorization middleware entirely, potentially gaining unauthorized access to protected endpoints, sensitive data, and administrative functions in NestJS applications using the Fastify adapter.
Affected Products
- NestJS version 11.1.13 with @nestjs/platform-fastify
- Applications with Fastify path-normalization options enabled
- NestJS Fastify adapter configurations using custom path handling
Discovery Timeline
- 2026-02-27 - CVE CVE-2026-2293 published to NVD
- 2026-03-02 - Last updated in NVD database
Technical Details for CVE-2026-2293
Vulnerability Analysis
This vulnerability represents an authorization bypass condition that occurs due to improper handling of URL path normalization between Fastify and the NestJS middleware chain. When Fastify's path-normalization options are enabled, a discrepancy emerges between how Fastify normalizes incoming request paths and how NestJS applies its authentication and authorization middleware.
The root issue stems from the middleware evaluation occurring before path normalization, allowing crafted URLs to bypass route guards while still matching protected endpoints after normalization. This creates a window where attackers can craft specially formatted URLs that evade security checks but still resolve to sensitive application routes.
Root Cause
The vulnerability is classified under CWE-863 (Incorrect Authorization). The core issue lies in the ordering and interaction between Fastify's path normalization feature and NestJS's middleware execution pipeline. When path normalization is enabled in Fastify configuration, the framework normalizes URL paths (removing duplicate slashes, resolving dot segments, etc.) after the middleware chain has already evaluated the original, non-normalized path.
This architectural mismatch means that middleware guards checking for patterns like /admin/users can be bypassed using variations such as /admin//users, /admin/./users, or other path representations that normalize to the protected route after middleware evaluation.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by sending HTTP requests with specially crafted URL paths to a vulnerable NestJS application. The attacker constructs URLs that include path traversal sequences, duplicate slashes, or other path components that:
- Bypass the authentication/authorization middleware due to pattern mismatch
- Normalize to a protected route in the Fastify routing layer
- Successfully access resources that should require authentication
This allows remote attackers to potentially access administrative endpoints, retrieve sensitive user data, or perform privileged operations without proper authorization.
Detection Methods for CVE-2026-2293
Indicators of Compromise
- Unusual URL patterns in application logs containing duplicate slashes (//), dot segments (./, ../), or encoded path separators
- Successful requests to protected endpoints from unauthenticated sessions
- Access log entries showing path variations resolving to the same protected resources
- Anomalous traffic patterns with requests containing URL encoding variations
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block requests with abnormal path patterns including duplicate slashes and dot segments
- Deploy application-level logging to capture both original and normalized request paths for comparison
- Configure intrusion detection systems to alert on path traversal patterns targeting known protected endpoints
- Use runtime application self-protection (RASP) solutions to monitor middleware bypass attempts
Monitoring Recommendations
- Enable verbose request logging in NestJS applications to capture full URL paths before and after normalization
- Monitor authentication failure rates and correlate with unusual URL patterns in access logs
- Set up alerts for successful access to protected routes without corresponding authentication events
- Review application logs for patterns indicating reconnaissance or exploitation attempts
How to Mitigate CVE-2026-2293
Immediate Actions Required
- Upgrade NestJS to version 11.1.14 or later which addresses this vulnerability
- Review application configurations for Fastify path-normalization settings and assess necessity
- Audit access logs for potential exploitation attempts prior to patching
- Implement additional URL validation at the application layer as a defense-in-depth measure
Patch Information
The NestJS development team has released version 11.1.14 which resolves this middleware bypass vulnerability. The patch ensures that authentication and authorization middleware properly evaluates normalized paths, preventing the bypass condition. Organizations should upgrade to this version immediately.
Patch resources:
Workarounds
- Disable Fastify path-normalization options if not strictly required for application functionality
- Implement custom middleware that normalizes request paths before authentication/authorization checks are performed
- Add explicit URL validation and canonicalization in route guards to ensure consistent path evaluation
- Deploy a reverse proxy or WAF configured to normalize and validate URL paths before forwarding to the application
# Example: Update NestJS to patched version
npm update @nestjs/core @nestjs/platform-fastify
# Verify installed version
npm list @nestjs/core
# Expected output: @nestjs/core@11.1.14 or higher
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
