CVE-2025-69211

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-69211

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-69211.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-69211

Aliases

GHSA-8wpr-639p-ccrj

Published

2025-12-29T16:01:22.801Z

Modified

2026-03-01T02:55:35.684403Z

Severity

6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator

Summary

Nest has a Fastify URL Encoding Middleware Bypass (TOCTOU)

Details

Nest is a framework for building scalable Node.js server-side applications. Versions prior to 11.1.11 have a Fastify URL encoding middleware bypass. A NestJS application is vulnerable if it uses @nestjs/platform-fastify; relies on NestMiddleware (via MiddlewareConsumer) for security checks (authentication, authorization, etc.), or through app.use(); and applies middleware to specific routes using string paths or controllers (e.g., .forRoutes('admin')). Exploitation can result in unauthenticated users accessing protected routes, restricted administrative endpoints becoming accessible to lower-privileged users, and/or middleware performing sanitization or validation being skipped. This issue is patched in @nestjs/platform-fastify@11.1.11.

Database specific

{
    "cwe_ids": [
        "CWE-367"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/69xxx/CVE-2025-69211.json"
}

References

Affected packages

Git / github.com/nestjs/nest

Affected ranges

Type: GIT
Repo: https://github.com/nestjs/nest
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

20529c07e3cc6647fa7611ef6eb776ad5507a325

Affected versions

6.*

6.3.1

v10.*

v10.0.0

v10.0.1

v10.0.2

v10.0.3

v10.0.4

v10.0.5

v10.1.0

v10.1.1

v10.1.2

v10.1.3

v10.2.0

v10.2.1

v10.2.10

v10.2.2

v10.2.3

v10.2.4

v10.2.5

v10.2.6

v10.2.7

v10.2.8

v10.2.9

v10.3.0

v10.3.1

v10.3.10

v10.3.2

v10.3.3

v10.3.4

v10.3.5

v10.3.6

v10.3.7

v10.3.8

v10.3.9

v10.4.0

v10.4.1

v10.4.10

v10.4.11

v10.4.12

v10.4.13

v10.4.14

v10.4.15

v10.4.2

v10.4.3

v10.4.4

v10.4.5

v10.4.6

v10.4.7

v10.4.8

v10.4.9

v11.*

v11.0.0

v11.0.1

v11.0.10

v11.0.11

v11.0.12

v11.0.13

v11.0.14

v11.0.15

v11.0.16

v11.0.17

v11.0.18

v11.0.19

v11.0.2

v11.0.20

v11.0.21

v11.0.3

v11.0.4

v11.0.5

v11.0.6

v11.0.7

v11.0.8

v11.0.9

v11.1.0

v11.1.1

v11.1.10

v11.1.2

v11.1.3

v11.1.4

v11.1.5

v11.1.6

v11.1.7

v11.1.8

v11.1.9

v4.*

v4.4.0

v4.4.1

v4.4.2

v4.5.0

v4.5.1

v4.5.10

v4.5.11

v4.5.12

v4.5.2

v4.5.3

v4.5.4

v4.5.5

v4.5.6

v4.5.8

v4.5.9

v4.6.1

v4.6.2

v4.6.3

v4.6.4

v4.6.5

v4.6.6

v5.*

v5.0.0

v5.0.0-beta.0

v5.0.0-beta.1

v5.0.0-beta.2

v5.0.0-beta.3

v5.0.0-beta.4

v5.0.0-beta.6

v5.0.0-beta.7

v5.0.0-beta.8

v5.0.0-rc.1

v5.0.0-rc.2

v5.0.0-rc.3

v5.0.0-rc.4

v5.0.1

v5.1.0

v5.2.0

v5.2.1

v5.2.2

v5.3.0

v5.3.1

v5.3.10

v5.3.11

v5.3.12

v5.3.13

v5.3.14

v5.3.15

v5.3.2

v5.3.3

v5.3.4

v5.3.5

v5.3.6

v5.3.7

v5.3.7-postinstall-next

v5.3.8

v5.3.9

v5.4.0

v5.4.1

v5.5.0

v5.6.0

v5.6.1

v5.6.2

v5.7.0

v5.7.1

v5.7.2

v5.7.3

v5.7.4

v6.*

v6.0.0

v6.0.0-rc.1

v6.0.1

v6.0.2

v6.0.3

v6.0.4

v6.0.5

v6.1.0

v6.1.1

v6.10.0

v6.10.1

v6.10.10

v6.10.11

v6.10.12

v6.10.13

v6.10.14

v6.10.2

v6.10.3

v6.10.4

v6.10.5

v6.10.6

v6.10.7

v6.10.8

v6.10.9

v6.11.0

v6.11.1

v6.11.10

v6.11.11

v6.11.2

v6.11.3

v6.11.4

v6.11.5

v6.11.6

v6.11.7

v6.11.8

v6.11.9

v6.2.0

v6.2.1

v6.2.2

v6.2.3

v6.2.4

v6.3.0

v6.3.1

v6.3.2

v6.4.0

v6.4.1

v6.5.0

v6.5.1

v6.5.2

v6.5.3

v6.6.0

v6.6.1

v6.6.2

v6.6.3

v6.6.4

v6.6.5

v6.6.6

v6.6.7

v6.7.0

v6.7.1

v6.7.2

v6.8.0

v6.8.1

v6.8.2

v6.8.3

v6.8.4

v6.8.5

v6.9.0

v7.*

v7.0.0

v7.0.1

v7.0.10

v7.0.11

v7.0.12

v7.0.13

v7.0.2

v7.0.3

v7.0.4

v7.0.5

v7.0.6

v7.0.7

v7.0.8

v7.0.9

v7.1.0

v7.1.1

v7.1.2

v7.1.3

v7.2.0

v7.3.0

v7.3.1

v7.3.2

v7.4.0

v7.4.1

v7.4.2

v7.4.3

v7.4.4

v7.5.0

v7.5.1

v7.5.2

v7.5.3

v7.5.4

v7.5.5

v7.6.0

v7.6.1

v7.6.10

v7.6.11

v7.6.12

v7.6.13

v7.6.14

v7.6.15

v7.6.16

v7.6.17

v7.6.18

v7.6.2

v7.6.3

v7.6.4

v7.6.5

v7.6.6

v7.6.7

v7.6.8

v7.6.9

v8.*

v8.0.0

v8.0.1

v8.0.10

v8.0.11

v8.0.2

v8.0.3

v8.0.4

v8.0.5

v8.0.6

v8.0.7

v8.0.8

v8.0.9

v8.1.0

v8.1.1

v8.1.2

v8.2.0

v8.2.1

v8.2.2

v8.2.3

v8.2.4

v8.2.5

v8.2.6

v8.3.0

v8.3.1

v8.4.0

v8.4.1

v8.4.2

v8.4.3

v8.4.4

v8.4.5

v8.4.6

v8.4.7

v9.*

v9.0.0

v9.0.1

v9.0.10

v9.0.11

v9.0.2

v9.0.3

v9.0.4

v9.0.5

v9.0.6

v9.0.7

v9.0.8

v9.0.9

v9.1.0

v9.1.1

v9.1.2

v9.1.3

v9.1.4

v9.1.5

v9.1.6

v9.2.0

v9.2.1

v9.3.0

v9.3.0-beta.1

v9.3.0-beta.2

v9.3.0-beta.3

v9.3.1

v9.3.10

v9.3.11

v9.3.12

v9.3.2

v9.3.3

v9.3.4

v9.3.5

v9.3.6

v9.3.7

v9.3.8

v9.3.9

v9.4.0

v9.4.1

v9.4.2

v9.4.3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-69211.json"