{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33011", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T17:22:14.664Z", "datePublished": "2026-03-20T04:37:15.044Z", "dateUpdated": "2026-03-20T15:48:23.564Z"}, "containers": {"cna": {"title": "Nest Fastify HEAD Request Middleware Bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-670", "lang": "en", "description": "CWE-670: Always-Incorrect Control Flow Implementation", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/nestjs/nest/security/advisories/GHSA-wf42-42fg-fg84", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nestjs/nest/security/advisories/GHSA-wf42-42fg-fg84"}, {"name": "https://github.com/nestjs/nest/commit/cbdf737cd6e7cefa52d05ecea2ae4af95c464614", "tags": ["x_refsource_MISC"], "url": "https://github.com/nestjs/nest/commit/cbdf737cd6e7cefa52d05ecea2ae4af95c464614"}, {"name": "https://github.com/nestjs/nest/releases/tag/v11.1.17", "tags": ["x_refsource_MISC"], "url": "https://github.com/nestjs/nest/releases/tag/v11.1.17"}], "affected": [{"vendor": "nestjs", "product": "nest", "versions": [{"version": "< 11.1.16", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T04:37:15.044Z"}, "descriptions": [{"lang": "en", "value": "Nest is a framework for building scalable Node.js server-side applications. In versions 11.1.15 and below, a NestJS application using @nestjs/platform-fastify GET middleware can be bypassed because Fastify automatically redirects HEAD requests to the corresponding GET handlers (if they exist). As a result: middleware will be completely skipped, the HTTP response won't include a body (since the response is truncated when redirecting a HEAD request to a GET handler), and the actual handler will still be executed. This issue is fixed in version 11.1.16."}], "source": {"advisory": "GHSA-wf42-42fg-fg84", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T15:48:14.460494Z", "id": "CVE-2026-33011", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T15:48:23.564Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33011", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T15:48:14.460494Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T15:48:18.888Z"}}], "cna": {"title": "Nest Fastify HEAD Request Middleware Bypass", "source": {"advisory": "GHSA-wf42-42fg-fg84", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "nestjs", "product": "nest", "versions": [{"status": "affected", "version": "< 11.1.16"}]}], "references": [{"url": "https://github.com/nestjs/nest/security/advisories/GHSA-wf42-42fg-fg84", "name": "https://github.com/nestjs/nest/security/advisories/GHSA-wf42-42fg-fg84", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/nestjs/nest/commit/cbdf737cd6e7cefa52d05ecea2ae4af95c464614", "name": "https://github.com/nestjs/nest/commit/cbdf737cd6e7cefa52d05ecea2ae4af95c464614", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/nestjs/nest/releases/tag/v11.1.17", "name": "https://github.com/nestjs/nest/releases/tag/v11.1.17", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Nest is a framework for building scalable Node.js server-side applications. In versions 11.1.15 and below, a NestJS application using @nestjs/platform-fastify GET middleware can be bypassed because Fastify automatically redirects HEAD requests to the corresponding GET handlers (if they exist). As a result: middleware will be completely skipped, the HTTP response won't include a body (since the response is truncated when redirecting a HEAD request to a GET handler), and the actual handler will still be executed. This issue is fixed in version 11.1.16."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-670", "description": "CWE-670: Always-Incorrect Control Flow Implementation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T04:37:15.044Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33011", "state": "PUBLISHED", "dateUpdated": "2026-03-20T15:48:23.564Z", "dateReserved": "2026-03-17T17:22:14.664Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T04:37:15.044Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nestjs:nest:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "7E43F4FF-8FEF-415C-AF48-05E8CBDC4B56", "versionEndExcluding": "11.1.16", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Nest is a framework for building scalable Node.js server-side applications. In versions 11.1.15 and below, a NestJS application using @nestjs/platform-fastify GET middleware can be bypassed because Fastify automatically redirects HEAD requests to the corresponding GET handlers (if they exist). As a result: middleware will be completely skipped, the HTTP response won't include a body (since the response is truncated when redirecting a HEAD request to a GET handler), and the actual handler will still be executed. This issue is fixed in version 11.1.16."}, {"lang": "es", "value": "Nest es un framework para construir aplicaciones escalables de servidor Node.js. En las versiones 11.1.15 e inferiores, una aplicaci\u00f3n NestJS que utiliza el middleware GET de @nestjs/platform-fastify puede ser eludida porque Fastify redirige autom\u00e1ticamente las solicitudes HEAD a los gestores GET correspondientes (si existen). Como resultado: el middleware ser\u00e1 completamente omitido, la respuesta HTTP no incluir\u00e1 un cuerpo (ya que la respuesta se trunca al redirigir una solicitud HEAD a un gestor GET), y el gestor real seguir\u00e1 ejecut\u00e1ndose. Este problema est\u00e1 solucionado en la versi\u00f3n 11.1.16."}], "id": "CVE-2026-33011", "lastModified": "2026-03-23T19:26:31.710", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T05:16:15.043", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/nestjs/nest/commit/cbdf737cd6e7cefa52d05ecea2ae4af95c464614"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/nestjs/nest/releases/tag/v11.1.17"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/nestjs/nest/security/advisories/GHSA-wf42-42fg-fg84"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-670"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,11.1.16)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "nest", "source": "cna", "vendor": "nestjs"}, "product": "nest", "vendor": "nestjs"}], "analysis": {"en": {"generated_at": "2026-03-23T21:20:42.470432+00:00", "value": {"mitigation_remediation": ["Apply the official NestJS security patch by upgrading to version\u00a011.1.16 or newer.", "If HEAD requests are unnecessary for your application, configure the server or application to reject them.", "Consider adding firewall or WAF rules to filter out unwanted HEAD traffic before it reaches the application."], "summary": {"action": "Patch Now", "impact": "Middleware bypass via HEAD requests"}, "threat_synthesis": {"affected_systems": "Affected systems are NestJS applications built with the @nestjs/platform-fastify package running version 11.1.15 or earlier. The impact applies to the NestJS framework core library, which is typically deployed in Node.js runtime environments. Versions 11.1.16 and later contain the fix and are not affected.", "description_and_impact": "The vulnerability arises from Fastify's automatic conversion of HEAD requests to GET handlers in NestJS applications that use @nestjs/platform-fastify GET middleware. When a HEAD request is received for an endpoint that has a corresponding GET handler, Fastify redirects the request to that handler. As a result, any GET\u2011specific middleware\u2014such as authentication, logging, or rate limiting\u2014is bypassed, the response body is omitted because the HEAD response is truncated, and the original GET handler executes as if the request were a normal GET. This behavior is captured by CWE\u2011670, which denotes a violation of intended authorization or flow control.", "risk_and_exploitability": "The CVSS base score is 8.7, indicating high severity, while the EPSS score is below 1% and the vulnerability is not listed in the CISA KEV catalog, suggesting low current exploitation probability. The most likely exploitation path involves an attacker sending a simple HEAD request to a publicly reachable NestJS endpoint that implements a GET handler, causing the middleware chain to be skipped and handler logic to run without the intended safeguards. Because the missing middleware can include authorization checks, the potential impact extends to unauthorized execution of the handler logic, as inferred from the description of the bypass."}}}}, "created": "2026-03-20T08:52:37.299938+00:00", "updated": "2026-03-25T14:09:17.808822+00:00", "vendors": ["nestjs", "nestjs$PRODUCT$nest"]}