NestJS — CVE history (npm)

NestJS

9 CVEs affect the NestJS npm package (highest CVSS 9.8). Latest disclosed: 2026-06-22. Full CVE history sourced from NVD.

Summary

Package
NestJS (npm)
Total CVEs
9
Actively exploited (CISA KEV)
0
Highest CVSS
9.8
Latest disclosed
2026-06-22

Recent CVEs (top 9)

CVESeverityCVSSKEVPublishedSummary
CVE-2026-542812026-06-22Nest is a framework for building scalable Node.js server-side applications.
CVE-2026-40879High7.52026-04-21Nest is a framework for building scalable Node.js server-side applications.
CVE-2026-35515Medium6.12026-04-07Nest is a framework for building scalable Node.js server-side applications.
CVE-2026-33011High7.52026-03-20Nest is a framework for building scalable Node.js server-side applications.
CVE-2026-2293Critical9.82026-02-27A NestJS application using @nestjs/platform-fastify can allow bypass of authentication/authorization middleware when Fastify path-normalization options are enabled.
CVE-2025-69211High7.42025-12-29Nest is a framework for building scalable Node.js server-side applications.
CVE-2025-54782High8.82025-08-02Nest is a framework for building scalable Node.js server-side applications.
CVE-2024-29409Medium5.52025-03-14File Upload vulnerability in nestjs nest v.10.3.2 allows a remote attacker to execute arbitrary code via the Content-Type header.
CVE-2023-26108Low3.72023-03-06Versions of the package @nestjs/core before 9.0.5 are vulnerable to Information Exposure via the StreamableFile pipe.

All-time worst (top 8 by CVSS)

CVESeverityCVSSKEVPublishedSummary
CVE-2026-2293Critical9.82026-02-27A NestJS application using @nestjs/platform-fastify can allow bypass of authentication/authorization middleware when Fastify path-normalization options are enabled.
CVE-2025-54782High8.82025-08-02Nest is a framework for building scalable Node.js server-side applications.
CVE-2026-40879High7.52026-04-21Nest is a framework for building scalable Node.js server-side applications.
CVE-2026-33011High7.52026-03-20Nest is a framework for building scalable Node.js server-side applications.
CVE-2025-69211High7.42025-12-29Nest is a framework for building scalable Node.js server-side applications.
CVE-2026-35515Medium6.12026-04-07Nest is a framework for building scalable Node.js server-side applications.
CVE-2024-29409Medium5.52025-03-14File Upload vulnerability in nestjs nest v.10.3.2 allows a remote attacker to execute arbitrary code via the Content-Type header.
CVE-2023-26108Low3.72023-03-06Versions of the package @nestjs/core before 9.0.5 are vulnerable to Information Exposure via the StreamableFile pipe.