CVE-2025-69211: CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition in nestjs nest
Nest is a framework for building scalable Node.js server-side applications. Versions prior to 11.1.11 have a Fastify URL encoding middleware bypass. A NestJS application is vulnerable if it uses `@nestjs/platform-fastify`; relies on `NestMiddleware` (via `MiddlewareConsumer`) for security checks (authentication, authorization, etc.), or through `app.use()`; and applies middleware to specific routes using string paths or controllers (e.g., `.forRoutes('admin')`). Exploitation can result in unauthenticated users accessing protected routes, restricted administrative endpoints becoming accessible to lower-privileged users, and/or middleware performing sanitization or validation being skipped. This issue is patched in `@nestjs/platform-fastify@11.1.11`.
AI Analysis
Technical Summary
NestJS is a popular Node.js framework for building scalable server-side applications, supporting multiple HTTP platforms including Fastify. CVE-2025-69211 is a time-of-check to time-of-use (TOCTOU) race condition vulnerability classified under CWE-367, affecting NestJS applications that use the @nestjs/platform-fastify adapter and rely on NestMiddleware for security enforcement. The issue occurs when middleware is applied to specific routes using string paths or controllers (e.g., .forRoutes('admin')), causing a race condition in the Fastify URL encoding middleware that can be bypassed. This bypass allows attackers to circumvent authentication and authorization middleware, or skip sanitization and validation steps, potentially exposing protected routes or administrative endpoints to unauthorized users. The vulnerability does not require prior authentication or user interaction and can be exploited remotely over the network. The CVSS 4.0 base score is 6.9 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, but with high impact on confidentiality and integrity. The flaw was patched in @nestjs/platform-fastify version 11.1.11. No known exploits have been observed in the wild as of the publication date.
Potential Impact
For European organizations, this vulnerability poses a significant risk to web applications built with NestJS using the Fastify platform adapter, especially those that implement route-specific middleware for security. Exploitation could lead to unauthorized access to sensitive or administrative endpoints, resulting in data breaches, privilege escalation, and potential disruption of services. Organizations in sectors with strict data protection regulations such as finance, healthcare, and government could face compliance violations and reputational damage if exploited. The ability to bypass authentication and authorization controls undermines the integrity and confidentiality of protected resources. Given the widespread adoption of Node.js and NestJS in modern web development, the scope of affected systems could be substantial, particularly for companies deploying microservices or APIs with route-specific middleware configurations.
Mitigation Recommendations
European organizations should immediately upgrade @nestjs/platform-fastify to version 11.1.11 or later to apply the official patch. Review all NestJS applications using Fastify to identify middleware applied selectively to routes via string paths or controllers and refactor middleware usage to avoid route-specific application where possible. Implement comprehensive end-to-end security checks at the global middleware level rather than relying solely on route-specific middleware. Conduct thorough code audits and penetration testing focusing on authentication and authorization bypass scenarios. Employ runtime application self-protection (RASP) tools to detect unusual access patterns. Monitor application logs for anomalous access attempts to protected routes. Additionally, consider implementing Web Application Firewalls (WAFs) with rules tailored to detect and block suspicious URL encoding or request manipulation attempts targeting Fastify-based applications.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Poland
CVE-2025-69211: CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition in nestjs nest
Description
Nest is a framework for building scalable Node.js server-side applications. Versions prior to 11.1.11 have a Fastify URL encoding middleware bypass. A NestJS application is vulnerable if it uses `@nestjs/platform-fastify`; relies on `NestMiddleware` (via `MiddlewareConsumer`) for security checks (authentication, authorization, etc.), or through `app.use()`; and applies middleware to specific routes using string paths or controllers (e.g., `.forRoutes('admin')`). Exploitation can result in unauthenticated users accessing protected routes, restricted administrative endpoints becoming accessible to lower-privileged users, and/or middleware performing sanitization or validation being skipped. This issue is patched in `@nestjs/platform-fastify@11.1.11`.
AI-Powered Analysis
Technical Analysis
NestJS is a popular Node.js framework for building scalable server-side applications, supporting multiple HTTP platforms including Fastify. CVE-2025-69211 is a time-of-check to time-of-use (TOCTOU) race condition vulnerability classified under CWE-367, affecting NestJS applications that use the @nestjs/platform-fastify adapter and rely on NestMiddleware for security enforcement. The issue occurs when middleware is applied to specific routes using string paths or controllers (e.g., .forRoutes('admin')), causing a race condition in the Fastify URL encoding middleware that can be bypassed. This bypass allows attackers to circumvent authentication and authorization middleware, or skip sanitization and validation steps, potentially exposing protected routes or administrative endpoints to unauthorized users. The vulnerability does not require prior authentication or user interaction and can be exploited remotely over the network. The CVSS 4.0 base score is 6.9 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, but with high impact on confidentiality and integrity. The flaw was patched in @nestjs/platform-fastify version 11.1.11. No known exploits have been observed in the wild as of the publication date.
Potential Impact
For European organizations, this vulnerability poses a significant risk to web applications built with NestJS using the Fastify platform adapter, especially those that implement route-specific middleware for security. Exploitation could lead to unauthorized access to sensitive or administrative endpoints, resulting in data breaches, privilege escalation, and potential disruption of services. Organizations in sectors with strict data protection regulations such as finance, healthcare, and government could face compliance violations and reputational damage if exploited. The ability to bypass authentication and authorization controls undermines the integrity and confidentiality of protected resources. Given the widespread adoption of Node.js and NestJS in modern web development, the scope of affected systems could be substantial, particularly for companies deploying microservices or APIs with route-specific middleware configurations.
Mitigation Recommendations
European organizations should immediately upgrade @nestjs/platform-fastify to version 11.1.11 or later to apply the official patch. Review all NestJS applications using Fastify to identify middleware applied selectively to routes via string paths or controllers and refactor middleware usage to avoid route-specific application where possible. Implement comprehensive end-to-end security checks at the global middleware level rather than relying solely on route-specific middleware. Conduct thorough code audits and penetration testing focusing on authentication and authorization bypass scenarios. Employ runtime application self-protection (RASP) tools to detect unusual access patterns. Monitor application logs for anomalous access attempts to protected routes. Additionally, consider implementing Web Application Firewalls (WAFs) with rules tailored to detect and block suspicious URL encoding or request manipulation attempts targeting Fastify-based applications.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-12-29T15:00:11.973Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 695450b7db813ff03e2bf37f
Added to database: 12/30/2025, 10:22:47 PM
Last enriched: 12/30/2025, 11:32:05 PM
Last updated: 2/7/2026, 5:19:45 PM
Views: 52
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-2105: Improper Authorization in yeqifu warehouse
MediumCVE-2026-2090: SQL Injection in SourceCodester Online Class Record System
MediumCVE-2026-2089: SQL Injection in SourceCodester Online Class Record System
MediumCVE-2026-2088: SQL Injection in PHPGurukul Beauty Parlour Management System
MediumCVE-2026-2087: SQL Injection in SourceCodester Online Class Record System
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.