Vulnerability in Nestjs Nest

CVE-2026-33011

Nest is a framework for building scalable Node.js server-side applications. In versions 11.1.15 and below, a NestJS application using @nestjs/platform-fastify GET middleware can be bypassed because Fastify automatically redirects HEAD requ…

EPSS: 0.000 (13.5th percentile) — read the EPSS interpretation.

Affected products

Nestjs Nest — versions < 11.1.16

Weakness classification (CWE)

CWE-670 — Always-Incorrect Control Flow Implementation

References

https://github.com/nestjs/nest/security/advisories/GHSA-wf42-42fg-fg84 (x_refsource_CONFIRM)
https://github.com/nestjs/nest/commit/cbdf737cd6e7cefa52d05ecea2ae4af95c464614 (x_refsource_MISC)
https://github.com/nestjs/nest/releases/tag/v11.1.17 (x_refsource_MISC)