{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33011", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T17:22:14.664Z", "datePublished": "2026-03-20T04:37:15.044Z", "dateUpdated": "2026-03-20T15:48:23.564Z"}, "containers": {"cna": {"title": "Nest Fastify HEAD Request Middleware Bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-670", "lang": "en", "description": "CWE-670: Always-Incorrect Control Flow Implementation", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/nestjs/nest/security/advisories/GHSA-wf42-42fg-fg84", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nestjs/nest/security/advisories/GHSA-wf42-42fg-fg84"}, {"name": "https://github.com/nestjs/nest/commit/cbdf737cd6e7cefa52d05ecea2ae4af95c464614", "tags": ["x_refsource_MISC"], "url": "https://github.com/nestjs/nest/commit/cbdf737cd6e7cefa52d05ecea2ae4af95c464614"}, {"name": "https://github.com/nestjs/nest/releases/tag/v11.1.17", "tags": ["x_refsource_MISC"], "url": "https://github.com/nestjs/nest/releases/tag/v11.1.17"}], "affected": [{"vendor": "nestjs", "product": "nest", "versions": [{"version": "< 11.1.16", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T04:37:15.044Z"}, "descriptions": [{"lang": "en", "value": "Nest is a framework for building scalable Node.js server-side applications. In versions 11.1.15 and below, a NestJS application using @nestjs/platform-fastify GET middleware can be bypassed because Fastify automatically redirects HEAD requests to the corresponding GET handlers (if they exist). As a result: middleware will be completely skipped, the HTTP response won't include a body (since the response is truncated when redirecting a HEAD request to a GET handler), and the actual handler will still be executed. This issue is fixed in version 11.1.16."}], "source": {"advisory": "GHSA-wf42-42fg-fg84", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T15:48:14.460494Z", "id": "CVE-2026-33011", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T15:48:23.564Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33011", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T15:48:14.460494Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T15:48:18.888Z"}}], "cna": {"title": "Nest Fastify HEAD Request Middleware Bypass", "source": {"advisory": "GHSA-wf42-42fg-fg84", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "nestjs", "product": "nest", "versions": [{"status": "affected", "version": "< 11.1.16"}]}], "references": [{"url": "https://github.com/nestjs/nest/security/advisories/GHSA-wf42-42fg-fg84", "name": "https://github.com/nestjs/nest/security/advisories/GHSA-wf42-42fg-fg84", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/nestjs/nest/commit/cbdf737cd6e7cefa52d05ecea2ae4af95c464614", "name": "https://github.com/nestjs/nest/commit/cbdf737cd6e7cefa52d05ecea2ae4af95c464614", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/nestjs/nest/releases/tag/v11.1.17", "name": "https://github.com/nestjs/nest/releases/tag/v11.1.17", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Nest is a framework for building scalable Node.js server-side applications. In versions 11.1.15 and below, a NestJS application using @nestjs/platform-fastify GET middleware can be bypassed because Fastify automatically redirects HEAD requests to the corresponding GET handlers (if they exist). As a result: middleware will be completely skipped, the HTTP response won't include a body (since the response is truncated when redirecting a HEAD request to a GET handler), and the actual handler will still be executed. This issue is fixed in version 11.1.16."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-670", "description": "CWE-670: Always-Incorrect Control Flow Implementation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T04:37:15.044Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33011", "state": "PUBLISHED", "dateUpdated": "2026-03-20T15:48:23.564Z", "dateReserved": "2026-03-17T17:22:14.664Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T04:37:15.044Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Nest is a framework for building scalable Node.js server-side applications. In versions 11.1.15 and below, a NestJS application using @nestjs/platform-fastify GET middleware can be bypassed because Fastify automatically redirects HEAD requests to the corresponding GET handlers (if they exist). As a result: middleware will be completely skipped, the HTTP response won't include a body (since the response is truncated when redirecting a HEAD request to a GET handler), and the actual handler will still be executed. This issue is fixed in version 11.1.16."}], "id": "CVE-2026-33011", "lastModified": "2026-03-20T13:37:50.737", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T05:16:15.043", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/nestjs/nest/commit/cbdf737cd6e7cefa52d05ecea2ae4af95c464614"}, {"source": "security-advisories@github.com", "url": "https://github.com/nestjs/nest/releases/tag/v11.1.17"}, {"source": "security-advisories@github.com", "url": "https://github.com/nestjs/nest/security/advisories/GHSA-wf42-42fg-fg84"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-670"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,11.1.16)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "nest", "source": "cna", "vendor": "nestjs"}, "product": "nest", "vendor": "nestjs"}], "analysis": {"en": {"generated_at": "2026-03-20T05:20:38.631201+00:00", "value": {"mitigation_remediation": ["Upgrade NestJS to version 11.1.16 or newer."], "summary": {"action": "Apply Patch", "impact": "Authentication Bypass"}, "threat_synthesis": {"affected_systems": "The affected product is the Nest framework (nestjs:nest). Versions 11.1.15 and all earlier releases are impacted. The vulnerability is fixed in version 11.1.16 and later.", "description_and_impact": "In NestJS versions 11.1.15 and earlier, applications that use the @nestjs/platform-fastify GET middleware are vulnerable because Fastify automatically redirects HEAD requests to existing GET handlers. The redirect causes the middleware to be completely skipped and the HTTP response body to be truncated while the actual GET handler still executes. This bypass allows attackers to send HEAD requests that bypass authentication, logging, or other middleware logic, potentially gaining unauthorized access or evading audit trails (CWE-670).", "risk_and_exploitability": "The CVSS score is 8.7 indicating high severity. The EPSS score is not available, and the vulnerability is not listed in CISA\u2019s KEV catalog. The attack vector is remote, exploiting an externally reachable HTTP HEAD request against a Nest application that uses Fastify. The exploitation simply requires sending a HEAD request; no local privileges or additional conditions are needed, making the vulnerability highly actionable for adversaries."}}}}, "created": "2026-03-20T08:52:37.299938+00:00", "updated": "2026-03-20T10:37:19.060999+00:00", "vendors": ["nestjs", "nestjs$PRODUCT$nest"]}