CVE-2026-33011: Nest Fastify HEAD Request Middleware Bypass

March 17, 2026 (updated March 20, 2026)

In a NestJS application using @nestjs/platform-fastify, GET middleware can be bypassed because Fastify automatically redirects HEAD requests to the corresponding GET handlers (if they exist).

As a result:

Middleware will be completely skipped.
The HTTP response won’t include a body (since the response is truncated when redirecting a HEAD request to a GET handler).
The actual handler will still be executed.

References

github.com/advisories/GHSA-wf42-42fg-fg84
github.com/nestjs/nest
github.com/nestjs/nest/commit/cbdf737cd6e7cefa52d05ecea2ae4af95c464614
github.com/nestjs/nest/releases/tag/v11.1.17
github.com/nestjs/nest/security/advisories/GHSA-wf42-42fg-fg84
nvd.nist.gov/vuln/detail/CVE-2026-33011

Code Behaviors & Features

Detect and mitigate CVE-2026-33011 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →