CVE-2026-54281 Overview
CVE-2026-54281 is an authentication bypass vulnerability in @nestjs/platform-fastify, the Fastify adapter for the NestJS Node.js framework. The flaw affects all versions prior to 11.1.24. When middleware is registered through the MiddlewareConsumer.forRoutes() API on the Fastify adapter, an unauthenticated client can bypass that middleware by appending a trailing slash (/) to the request URL. The bypass works against the default Fastify adapter configuration, meaning standard NestJS deployments are exposed without additional misconfiguration. The vulnerability maps to [CWE-863] Incorrect Authorization and is fixed in NestJS 11.1.24.
Critical Impact
Attackers can reach protected routes without triggering authentication, authorization, rate-limiting, or logging middleware, exposing sensitive endpoints to unauthenticated access.
Affected Products
- @nestjs/platform-fastify versions prior to 11.1.24
- NestJS applications using MiddlewareConsumer.forRoutes() with the default Fastify adapter
- Node.js server-side applications built on the affected NestJS Fastify integration
Discovery Timeline
- 2026-06-22 - CVE-2026-54281 published to NVD
- 2026-06-24 - Last updated in NVD database
Technical Details for CVE-2026-54281
Vulnerability Analysis
NestJS is a framework for building scalable Node.js server-side applications. It supports two HTTP adapters: Express and Fastify. Middleware registered through MiddlewareConsumer.forRoutes() is intended to execute for every request matching the configured route pattern. On the Fastify adapter, the path-matching logic treats /protected and /protected/ as distinct routes for middleware evaluation. The route handler resolves both forms to the same controller method, but the middleware pipeline only matches the exact path without the trailing slash. An attacker who appends / to any protected URL reaches the handler while skipping the registered middleware, including authentication and authorization guards implemented as middleware.
Root Cause
The root cause is inconsistent URL normalization between Fastify's router and NestJS's middleware route-matching layer. NestJS registers middleware against a strict path pattern, while Fastify's default router strips or ignores trailing slashes when dispatching to controllers. This mismatch produces the authorization gap classified under [CWE-863].
Attack Vector
Exploitation requires no authentication and no user interaction. An attacker sends an HTTP request over the network to any route protected only by middleware registered via forRoutes(), appending a trailing slash to the path. For example, a request to /admin/users/ reaches the controller while the auth middleware bound to /admin/users does not execute. The vulnerability is exploitable remotely against the default adapter configuration, and the CVSS vector indicates high confidentiality and integrity impact with low privilege requirements.
No public proof-of-concept code has been released. See the GitHub Security Advisory GHSA-6v32-fjc9-9qf6 for upstream technical details.
Detection Methods for CVE-2026-54281
Indicators of Compromise
- HTTP access logs showing requests to sensitive paths ending in / that returned 200 responses without a preceding authentication event.
- Paired log entries where the unslashed path (/api/admin) is consistently authenticated but the slashed variant (/api/admin/) lacks corresponding auth records.
- Unexpected controller invocations for routes that should have been blocked by guards or middleware.
Detection Strategies
- Inspect package.json and package-lock.json for @nestjs/platform-fastify versions earlier than 11.1.24.
- Replay known-protected requests with and without trailing slashes during security testing and compare authentication outcomes.
- Audit application code for routes secured exclusively through MiddlewareConsumer.forRoutes() rather than NestJS Guards.
Monitoring Recommendations
- Forward web application and reverse-proxy logs to a SIEM and alert on access to administrative paths missing authentication context.
- Track 2xx responses to sensitive endpoints from clients that never produced a valid login event in the same session.
- Monitor for scanning patterns that systematically append / to URLs across the application surface.
How to Mitigate CVE-2026-54281
Immediate Actions Required
- Upgrade @nestjs/platform-fastify to version 11.1.24 or later across all NestJS services.
- Inventory routes protected only by middleware and validate behavior with and without trailing slashes after patching.
- Migrate critical authentication and authorization logic from middleware to NestJS Guards, which evaluate at the route-handler level.
Patch Information
The maintainers fixed the trailing-slash bypass in NestJS 11.1.24. Update the dependency with npm install @nestjs/platform-fastify@^11.1.24 or the equivalent yarn or pnpm command, then redeploy. Patch details are documented in the GitHub Security Advisory GHSA-6v32-fjc9-9qf6.
Workarounds
- Configure the Fastify adapter to normalize URLs by enabling ignoreTrailingSlash: true so that slashed and unslashed paths resolve identically for middleware matching.
- Register middleware route patterns to cover both variants explicitly, for example forRoutes('admin', 'admin/').
- Enforce authentication using NestJS Guards or global interceptors instead of relying on path-bound middleware.
# Configuration example: enforce trailing-slash normalization on the Fastify adapter
# main.ts
import { NestFactory } from '@nestjs/core';
import { FastifyAdapter, NestFastifyApplication } from '@nestjs/platform-fastify';
import { AppModule } from './app.module';
async function bootstrap() {
const app = await NestFactory.create<NestFastifyApplication>(
AppModule,
new FastifyAdapter({ ignoreTrailingSlash: true }),
);
await app.listen(3000);
}
bootstrap();
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

