NestJS — CVE history (npm)
NestJS
9 CVEs affect the NestJS npm package (highest CVSS 9.8). Latest disclosed: 2026-06-22. Full CVE history sourced from NVD.
Summary
- Package
NestJS(npm)- Total CVEs
9- Actively exploited (CISA KEV)
- 0
- Highest CVSS
9.8- Latest disclosed
- 2026-06-22
Recent CVEs (top 9)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-54281 | — | — | — | 2026-06-22 | Nest is a framework for building scalable Node.js server-side applications. |
CVE-2026-40879 | High | 7.5 | — | 2026-04-21 | Nest is a framework for building scalable Node.js server-side applications. |
CVE-2026-35515 | Medium | 6.1 | — | 2026-04-07 | Nest is a framework for building scalable Node.js server-side applications. |
CVE-2026-33011 | High | 7.5 | — | 2026-03-20 | Nest is a framework for building scalable Node.js server-side applications. |
CVE-2026-2293 | Critical | 9.8 | — | 2026-02-27 | A NestJS application using @nestjs/platform-fastify can allow bypass of authentication/authorization middleware when Fastify path-normalization options are enabled. |
CVE-2025-69211 | High | 7.4 | — | 2025-12-29 | Nest is a framework for building scalable Node.js server-side applications. |
CVE-2025-54782 | High | 8.8 | — | 2025-08-02 | Nest is a framework for building scalable Node.js server-side applications. |
CVE-2024-29409 | Medium | 5.5 | — | 2025-03-14 | File Upload vulnerability in nestjs nest v.10.3.2 allows a remote attacker to execute arbitrary code via the Content-Type header. |
CVE-2023-26108 | Low | 3.7 | — | 2023-03-06 | Versions of the package @nestjs/core before 9.0.5 are vulnerable to Information Exposure via the StreamableFile pipe. |
All-time worst (top 8 by CVSS)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-2293 | Critical | 9.8 | — | 2026-02-27 | A NestJS application using @nestjs/platform-fastify can allow bypass of authentication/authorization middleware when Fastify path-normalization options are enabled. |
CVE-2025-54782 | High | 8.8 | — | 2025-08-02 | Nest is a framework for building scalable Node.js server-side applications. |
CVE-2026-40879 | High | 7.5 | — | 2026-04-21 | Nest is a framework for building scalable Node.js server-side applications. |
CVE-2026-33011 | High | 7.5 | — | 2026-03-20 | Nest is a framework for building scalable Node.js server-side applications. |
CVE-2025-69211 | High | 7.4 | — | 2025-12-29 | Nest is a framework for building scalable Node.js server-side applications. |
CVE-2026-35515 | Medium | 6.1 | — | 2026-04-07 | Nest is a framework for building scalable Node.js server-side applications. |
CVE-2024-29409 | Medium | 5.5 | — | 2025-03-14 | File Upload vulnerability in nestjs nest v.10.3.2 allows a remote attacker to execute arbitrary code via the Content-Type header. |
CVE-2023-26108 | Low | 3.7 | — | 2023-03-06 | Versions of the package @nestjs/core before 9.0.5 are vulnerable to Information Exposure via the StreamableFile pipe. |