A NestJS application is vulnerable if it meets all of the following criteria:
- Platform: Uses
@nestjs/platform-fastify.
- Security Mechanism: Relies on
NestMiddleware (via MiddlewareConsumer) for security checks (authentication, authorization, etc.), or through app.use()
- Routing: Applies middleware to specific routes using string paths or controllers (e.g.,
.forRoutes('admin')).
Example Vulnerable Config:
// app.module.ts
export class AppModule implements NestModule {
configure(consumer: MiddlewareConsumer) {
consumer
.apply(AuthMiddleware) // Security check
.forRoutes('admin'); // Vulnerable: Path-based restriction
}
}Attack Vector:
- Target Route:
/admin
- Middleware Path:
admin
- Attack Request:
GET /%61dmin
- Result: Middleware is skipped (no match on
%61dmin), but controller for /admin is executed.
Consequences:
- Authentication Bypass: Unauthenticated users can access protected routes.
- Authorization Bypass: Restricted administrative endpoints become accessible to lower-privileged users.
- Input Validation Bypass: Middleware performing sanitization or validation can be skipped.
Patches
Patched in @nestjs/platform-fastify@11.1.11
Resources
Credit goes to Hacktron AI for reporting this issue.
References
A NestJS application is vulnerable if it meets all of the following criteria:
@nestjs/platform-fastify.NestMiddleware(viaMiddlewareConsumer) for security checks (authentication, authorization, etc.), or throughapp.use().forRoutes('admin')).Example Vulnerable Config:
Attack Vector:
/adminadminGET /%61dmin%61dmin), but controller for/adminis executed.Consequences:
Patches
Patched in
@nestjs/platform-fastify@11.1.11Resources
Credit goes to Hacktron AI for reporting this issue.
References