Login Sign Up

CVE-2025-69211

7.4 HIGH
Authentication Bypass

📋 TL;DR

NestJS applications using Fastify platform with route-specific middleware are vulnerable to URL encoding bypass. This allows attackers to access protected routes without authentication or authorization checks. Only applications using @nestjs/platform-fastify with middleware applied to specific routes are affected.

💻 Affected Systems

Products:
  • NestJS
  • @nestjs/platform-fastify
Versions: All versions prior to 11.1.11
Operating Systems: All
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when using: 1) @nestjs/platform-fastify, 2) NestMiddleware via MiddlewareConsumer or app.use(), 3) Route-specific middleware application

📦 What is this software?

Nest by Nestjs

View all CVEs affecting Nest →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete authentication/authorization bypass leading to unauthorized administrative access, data exposure, or privilege escalation.

🟠

Likely Case

Unauthorized access to protected endpoints, potentially exposing sensitive data or allowing unauthorized actions.

🟢

If Mitigated

Limited impact if additional security layers (application-level checks, network segmentation) are in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires crafting specially encoded URLs to bypass middleware path matching

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: @nestjs/platform-fastify@11.1.11

Vendor Advisory: https://github.com/nestjs/nest/security/advisories/GHSA-8wpr-639p-ccrj

Restart Required: Yes

Instructions:

Update package.json to specify "@nestjs/platform-fastify": "^11.1.11"
Run: npm update @nestjs/platform-fastify
Restart the application

🔧 Temporary Workarounds

Switch to Express Platform

all

Temporarily switch from Fastify to Express platform which is not affected

npm uninstall @nestjs/platform-fastify
npm install @nestjs/platform-express
Update main.ts to use ExpressAdapter

Apply Global Middleware

all

Apply security middleware globally instead of route-specific to avoid bypass

In AppModule: apply middleware globally using app.use() or MiddlewareConsumer without .forRoutes()

🧯 If You Can't Patch

  • Implement additional authentication checks at controller/service level
  • Use network-level access controls to restrict sensitive endpoints

🔍 How to Verify

Check if Vulnerable:

Check package.json for @nestjs/platform-fastify version <11.1.11 and verify route-specific middleware usage

Check Version:

npm list @nestjs/platform-fastify

Verify Fix Applied:

Verify package.json shows @nestjs/platform-fastify version >=11.1.11 and test protected routes with encoded URLs

📡 Detection & Monitoring

Log Indicators:

  • Unusual access patterns to protected routes
  • Requests with encoded characters in URLs to middleware-protected endpoints

Network Indicators:

  • HTTP requests to protected endpoints without authentication headers
  • URLs with multiple encoding patterns

SIEM Query:

source="application_logs" AND (url CONTAINS "%" AND path IN ["protected_endpoints"])

📊 Metadata

CVE ID: CVE-2025-69211
CVSS v3 Score: 7.4 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-367
EPSS Score: 0.24% exploit probability (47.2th percentile)
Published: December 29, 2025
Last Updated: February 20, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-69211, you might also want to check these:

CVE-2026-25641 10.0

CVE-2026-25641 is a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attack...

Same vulnerability type (CWE-367)
CVE-2025-64180 10.0

A critical TOCTOU vulnerability in Manager accounting software allows attackers to bypass DNS valida...

Same vulnerability type (CWE-367)
CVE-2025-13032 9.9

A double fetch vulnerability in the sandbox kernel driver of Avast/AVG Antivirus on Windows allows l...

Same vulnerability type (CWE-367)