GHSA-7q64-3rg2-h9pf: Duplicate Advisory: Nest has a Fastify URL Encoding Middleware Bypass

February 27, 2026 (updated March 2, 2026)

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-r4wm-x892-vjmx. This link is maintained to preserve external references.

Original Description

A NestJS application using @nestjs/platform-fastify can allow bypass of authentication/authorization middleware when Fastify path-normalization options are enabled.

This issue affects nest.Js: 11.1.13.

References

fluidattacks.com/advisories/neton
github.com/advisories/GHSA-7q64-3rg2-h9pf
github.com/nestjs/nest
github.com/nestjs/nest/releases/tag/v11.1.14
nvd.nist.gov/vuln/detail/CVE-2026-2293

Code Behaviors & Features

Detect and mitigate GHSA-7q64-3rg2-h9pf with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →