chore(deps): update dependency @nestjs/platform-fastify to v11.1.24 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@nestjs/platform-fastify (source)	11.1.14 → 11.1.24

---

Nest Fastify HEAD Request Middleware Bypass

CVE-2026-33011 / GHSA-wf42-42fg-fg84

More information

Details

Impact

In a NestJS application using @nestjs/platform-fastify, GET middleware can be bypassed because Fastify automatically redirects HEAD requests to the corresponding GET handlers (if they exist).

As a result:

• Middleware will be completely skipped.
• The HTTP response won't include a body (since the response is truncated when redirecting a HEAD request to a GET handler).
• The actual handler will still be executed.

Patches

Fixed in @nestjs/platform-fastify@11.1.16

Severity

• CVSS Score: 8.7 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/nestjs/nest/security/advisories/GHSA-wf42-42fg-fg84
• https://github.com/nestjs/nest/commit/cbdf737cd6e7cefa52d05ecea2ae4af95c464614
• https://github.com/nestjs/nest/releases/tag/v11.1.17
• https://nvd.nist.gov/vuln/detail/CVE-2026-33011
• https://github.com/advisories/GHSA-wf42-42fg-fg84

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Nest: Middleware Bypass on Fastify via Trailing Slash

CVE-2026-54281 / GHSA-6v32-fjc9-9qf6

More information

Details

Impact

An authentication bypass vulnerability exists in @nestjs/platform-fastify (confirmed on version 11.1.24, the latest available release at time of report). When middleware is registered through NestJS's MiddlewareConsumer.forRoutes() API on the Fastify adapter, an unauthenticated client can bypass the Nest middleware registered for that route by simply appending a trailing slash (/) to the request URL.

This bypass works on the default Fastify adapter configuration — no special router options need to be enabled. Applications using the standard CRUD route shape (GET /resource and GET /resource/:id) are affected when they protect those routes with MiddlewareConsumer.forRoutes() middleware.

Patches

Fixed in @nestjs/platform-fastify@11.1.24

References

Kudos goes to @​a-tt-om

Severity

• CVSS Score: 8.7 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

References

• https://github.com/nestjs/nest/security/advisories/GHSA-6v32-fjc9-9qf6
• https://github.com/advisories/GHSA-6v32-fjc9-9qf6

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

nestjs/nest (@​nestjs/platform-fastify)

v11.1.24

Compare Source

v11.1.24 (2026-05-25)

Bug fixes

• core
  • #​17009 fix(core): reset dependency-tree cache on metadata changes (@​puneetdixit200)

Enhancements

• core
  • #​16997 feat(core): warn on late websocket adapter registration (@​hbinhng)

Dependencies

• platform-ws
  • #​17011 chore(deps): bump ws from 8.20.1 to 8.21.0 (@​dependabot[bot])

Committers: 2

• Nguyễn Hải Bình (@​hbinhng)
• Puneet Dixit (@​puneetdixit200)

v11.1.23

Compare Source

v11.1.23 (2026-05-21)

Bug fixes

• core
  • #​16998 fix snapshot: true eagerly instantiates Terminus transient indicators since 11.1.20

Committers: 1

• Kamil Mysliwiec (@​kamilmysliwiec)

v11.1.22

Compare Source

v11.1.22 (2026-05-21)

Bug fixes

• core
  • #​16993 fix(core): inflight request injection bug #​16989 (@​kamilmysliwiec)

Enhancements

• core
  • #​16967 fix(core): identify decorator type in invalid-class-module error (@​HarrierOnChain)

Committers: 2

• Harrier (@​HarrierOnChain)
• Kamil Mysliwiec (@​kamilmysliwiec)

v11.1.21

Compare Source

v11.1.21 (2026-05-14)

Bug fixes

• core
  • #​16948 fix(core): settle skipped provider initialization (@​yudin-s)

Committers: 1

• Serge Yudin (@​yudin-s)

v11.1.20

Compare Source

v11.1.20 (2026-05-13)

Bug fixes

• core, testing
  • #​16939 fix(core): fix deeply nested transient providers resolution (@​kamilmysliwiec)
• core
  • #​16861 fix(core): fix @​Sse losing events on complete (@​MatthiasBrehmer)
  • #​16753 fix(core): defer sse writehead until after lifecycle completes (@​jkalberer)
  • #​16782 fix(core): use strict null check for SSE message id (@​burhanharoon)
• microservices
  • #​16850 fix(microservices): ServerRMQ crashes at boot when @​MessagePattern(undefined) is combined with wildcards: true (@​lavieennoir)
• common
  • #​16845 fix(common): accept zero timestamp in parse date pipe (@​Mysh3ll)
• platform-socket.io
  • #​16742 fix(socket.io): Deduplicate disconnect listener in bindMessageHandlers (@​fru1tworld)

Enhancements

• microservices
  • #​16676 feat(microservices): add return buffers option for binary data (@​Forceres)
  • #​16826 feat(microservices): handle rmq blocked/unblocked connection events (@​thisalihassan)
• common
  • #​16902 fix(common): filetype validator buffer message (@​QusaiAlbonni)
• platform-express
  • #​16844 feat(platform-express): add defParamCharset to MulterOptions (@​starnayuta)

Dependencies

• platform-ws
  • #​16941 chore(deps): bump ws from 8.20.0 to 8.20.1 (@​dependabot[bot])

Committers: 13

• Ali Hassan (@​thisalihassan)
• Burhan Haroon⚡ (@​burhanharoon)
• Dmytro Khyzhniak (@​lavieennoir)
• Harsh Rathod (@​harshrathod50)
• IlyaCredo (@​Forceres)
• Kamil Mysliwiec (@​kamilmysliwiec)
• Mysh3ll (@​Mysh3ll)
• @​MatthiasBrehmer
• @​QusaiAlbonni
• @​jkalberer
• @​pazaderey
• fru1tworld (@​fru1tworld)
• starnayuta (@​starnayuta)

v11.1.19

Compare Source

v11.1.19 (2026-04-13)

Bug fixes

• microservices
  • #​16762 fix(microservices): use backing field for consumer CRASH event listener (@​burhanharoon)
  • #​16764 fix(microservices): prevent stack overflow in jsonsocket.handledata() (@​kamilmysliwiec)

Committers: 2

• Burhan Haroon⚡ (@​burhanharoon)
• Kamil Mysliwiec (@​kamilmysliwiec)

v11.1.18

Compare Source

v11.1.18 (2026-04-03)

Bug fixes

• microservices
  • #​16675 fix(microservices): preserve packet headers in nats serializer (@​wwenrr)
• core
  • #​16683 fix(core): prevent injector hang when design:paramtypes is missing (@​Youmoo)
  • #​16637 fix(core): dependency injection edge case with moduleref.create (@​JakobStaudinger)
  • #​16686 fix(core): sanitize sse message

Dependencies

• core, platform-express, platform-fastify
  • #​16679 fix(deps): update dependency path-to-regexp to v8.4.2 (@​renovate[bot])
• platform-fastify
  • #​16623 fix(deps): update dependency fastify to v5.8.4 (@​renovate[bot])
• platform-ws
  • #​16618 chore(deps): bump ws from 8.19.0 to 8.20.0 (@​dependabot[bot])
• common
  • #​16619 chore(deps): bump file-type from 21.3.3 to 21.3.4 (@​dependabot[bot])

Committers: 6

• Ankit San (@​ankitbelal)
• Jakob Staudinger (@​JakobStaudinger)
• Kamil Mysliwiec (@​kamilmysliwiec)
• Krishna Chaitanya (@​Krishnachaitanyakc)
• MK (@​wwenrr)
• youmoo (@​Youmoo)

v11.1.17

Compare Source

v11.1.17 (2026-03-16)

Enhancements

• microservices
  • #​16218 feat(microservices): add redis driver identification (@​vchomakov)

Bugs

• platform-fastify
  • auto-run middleware for HEAD requests as fastify redirects them to GET handlers (effectively skipping middleware execution) cbdf737 (@​kamilmysliwiec)

Dependencies

• common
  • #​16567 fix(deps): update dependency file-type to v21.3.2 (@​renovate[bot])
• platform-fastify
  • #​16533 fix(deps): update dependency fastify to v5.8.2 (@​renovate[bot])

Committers: 3

• Rohan Santhosh Kumar (@​Rohan5commit)
• Vasil Chomakov (@​vchomakov)
• Kamil Mysliwiec (@​kamilmysliwiec)

v11.1.16

Compare Source

v11.1.16 (2026-03-05)

Bug fixes

• microservices
  • #​16506 fix(microservices): fix double callback when isdisposed or err is truthy (@​LhonRafaat)

Dependencies

• platform-express
  • #​16507 fix(deps): update dependency multer to v2.1.1 (@​renovate[bot])

Committers: 2

• Lhon (@​LhonRafaat)
• Shahnoor Mujawar (@​shahnoormujawar)

v11.1.15

Compare Source

What's Changed

• fix(microservices): if indexOf return 0 will if will be falsy by @​cuiweixie in #​16401
• fix(microservices): introuduce max pattern depth and object complexity by @​kamilmysliwiec in #​16402
• chore(@​nestjs/core): allow override for initializeWildcardHandlersIfE… by @​StNekroman in #​16468
• chore(deps): update dependency @​fastify/middie to v9.2.0 [security] by @​renovate[bot] in #​16472
• fix(deps): update dependency multer to v2.1.0 [security] by @​renovate[bot] in #​16474

New Contributors

• @​cuiweixie made their first contribution in #​16401
• @​StNekroman made their first contribution in #​16468

Full Changelog: nestjs/nest@v11.1.14...v11.1.15

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.