CVE-2026-54281: Nest: Middleware Bypass on Fastify via Trailing Slash

An authentication bypass vulnerability exists in @nestjs/platform-fastify (confirmed on version 11.1.24, the latest available release at time of report). When middleware is registered through NestJS’s MiddlewareConsumer.forRoutes() API on the Fastify adapter, an unauthenticated client can bypass the Nest middleware registered for that route by simply appending a trailing slash (/) to the request URL.

This bypass works on the default Fastify adapter configuration — no special router options need to be enabled. Applications using the standard CRUD route shape (GET /resource and GET /resource/:id) are affected when they protect those routes with MiddlewareConsumer.forRoutes() middleware.