Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2025-69211

Good to know:

icon
icon
icon

Date: December 29, 2025

Nest is a framework for building scalable Node.js server-side applications. Versions prior to 11.1.11 have a Fastify URL encoding middleware bypass. A NestJS application is vulnerable if it uses "@nestjs/platform-fastify"; relies on "NestMiddleware" (via "MiddlewareConsumer") for security checks (authentication, authorization, etc.), or through "app.use()"; and applies middleware to specific routes using string paths or controllers (e.g., ".forRoutes('admin')"). Exploitation can result in unauthenticated users accessing protected routes, restricted administrative endpoints becoming accessible to lower-privileged users, and/or middleware performing sanitization or validation being skipped. This issue is patched in "@nestjs/platform-fastify@11.1.11".

Severity Score

Related Resources (5)

https://github.com/nestjs/nest
https://github.com/nestjs/nest/commit/c4cedda15a05aafec1e6045b36b0335ab850e771
https://nvd.nist.gov/vuln/detail/CVE-2025-69211
https://github.com/nestjs/nest/security/advisories/GHSA-8wpr-639p-ccrj
https://www.mend.io/vulnerability-database/CVE-2025-69211

Severity Score

Weakness Type (CWE)

Time-of-check Time-of-use (TOCTOU) Race Condition

CWE-367

Top Fix

icon

Upgrade Version

Upgrade to version @nestjs/platform-fastify - 11.1.11;@nestjs/platform-fastify - 11.1.11;https://github.com/nestjs/nest.git - v11.1.11

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): NONE

Do you need more information?

Contact Us