CVE-2025-69211
Authentication Bypass vulnerability in platform-fastify (npm)
What is CVE-2025-69211 About?
This Authentication Bypass vulnerability in NestJS applications using `@nestjs/platform-fastify` allows middleware applied to specific routes via string paths to be bypassed. Attackers can access protected routes by URL encoding parts of the path. Exploitation is easy by simply URL-encoding a section of the targeted route.
Affected Software
Technical Details
The vulnerability affects NestJS applications integrating @nestjs/platform-fastify when NestMiddleware or app.use() is used for security checks (like authentication/authorization) and applied to routes using string paths (e.g., .forRoutes('admin')). The core issue is that the Fastify router processes URL-encoded characters in the path before the NestJS middleware matching logic. If a middleware is configured for a path like /admin, an attacker can bypass it by requesting /%61dmin. The Fastify router will decode %61dmin to /admin and route it to the intended controller. However, the MiddlewareConsumer's path matching logic, potentially operating before or differently from Fastify's final routing, fails to match /%61dmin against admin. As a result, the security middleware is skipped, while the corresponding controller for /admin is still executed, granting unauthorized access.
What is the Impact of CVE-2025-69211?
Successful exploitation may allow attackers to bypass authentication and authorization checks, access restricted administrative endpoints, or circumvent input validation mechanisms.
What is the Exploitability of CVE-2025-69211?
Exploitation of this Authentication Bypass vulnerability is of low complexity. It requires remote access to the vulnerable NestJS application. No authentication is formally required from the attacker's perspective to attempt the bypass, as the vulnerability itself leads to bypassing authentication. The attacker simply needs to URL-encode a portion of the target route (e.g., /admin becomes /%61dmin). The prerequisites are an application using @nestjs/platform-fastify, relying on NestMiddleware applied to specific routes using string paths (e.g., forRoutes('admin')) for security. There are no special conditions or constraints other than crafting the URL-encoded path. The risk factors that increase exploitation likelihood include publicly exposed endpoints protected only by path-based middleware in this configuration, making it a straightforward way to gain unauthorized access.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-69211?
Available Upgrade Options
- @nestjs/platform-fastify
- <11.1.11 → Upgrade to 11.1.11
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/nestjs/nest/commit/c4cedda15a05aafec1e6045b36b0335ab850e771
- https://github.com/nestjs/nest/security/advisories/GHSA-8wpr-639p-ccrj
- https://github.com/nestjs/nest/security/advisories/GHSA-8wpr-639p-ccrj
- https://github.com/nestjs/nest
- https://nvd.nist.gov/vuln/detail/CVE-2025-69211
- https://osv.dev/vulnerability/GHSA-8wpr-639p-ccrj
- https://github.com/nestjs/nest/commit/c4cedda15a05aafec1e6045b36b0335ab850e771
What are Similar Vulnerabilities to CVE-2025-69211?
Similar Vulnerabilities: CVE-2023-45136 , CVE-2023-45137 , CVE-2023-45138 , CVE-2023-45139 , CVE-2023-45140
