CVE-2026-33011 is a vulnerability in the NestJS framework, a popular Node.js server-side application framework, specifically in versions 11.1.15 and earlier. The issue arises when using the @nestjs/platform-fastify GET middleware. Fastify, the underlying HTTP server framework, automatically redirects HTTP HEAD requests to the corresponding GET handlers if they exist. This behavior causes the middleware layer to be completely bypassed during HEAD requests because the middleware is not executed before the GET handler is invoked. Consequently, any security, logging, or validation logic implemented in middleware is skipped. Additionally, the HTTP response for the HEAD request is truncated and does not include a body, which is expected behavior for HEAD requests but can mask the bypass. The vulnerability is classified under CWE-670 (Always-Incorrect Control Flow Implementation), indicating a fundamental flaw in how control flow is handled in the middleware chain. The issue does not require any privileges or user interaction to exploit, making it remotely exploitable over the network. The CVSS 4.0 base score is 8.7 (high severity), reflecting the ease of exploitation and significant impact on application security. The flaw was publicly disclosed on March 20, 2026, and fixed in NestJS version 11.1.16. No known exploits have been reported in the wild as of the publication date.

This vulnerability can have significant impacts on organizations using affected NestJS versions with Fastify. Middleware often enforces critical security controls such as authentication, authorization, input validation, logging, and rate limiting. Bypassing middleware allows attackers to circumvent these protections, potentially gaining unauthorized access, executing unauthorized actions, or evading detection. The vulnerability affects the confidentiality and integrity of applications by allowing unauthorized request processing. Availability impact is limited but could arise if attackers exploit the bypass to trigger resource exhaustion or other denial-of-service conditions. Since the vulnerability is remotely exploitable without authentication or user interaction, it poses a high risk to exposed web services. Organizations relying on NestJS for critical backend services, especially those handling sensitive data or performing security checks in middleware, are at elevated risk. The absence of known exploits in the wild suggests limited active exploitation currently, but the high severity and ease of exploitation warrant immediate attention.

The primary mitigation is to upgrade all affected NestJS applications to version 11.1.16 or later, where the issue is fixed. Until upgrade is possible, organizations should consider implementing additional request validation at the handler level to detect and reject unexpected HEAD requests or enforce middleware logic explicitly for HEAD requests. Reviewing and hardening middleware to ensure critical security checks cannot be bypassed by HTTP method manipulation is recommended. Network-level controls such as Web Application Firewalls (WAFs) can be configured to block or monitor suspicious HEAD requests targeting GET endpoints. Application logging should be enhanced to detect anomalies in request methods and response patterns. Developers should audit their use of Fastify and NestJS middleware to understand the impact of this control flow bypass and refactor code to minimize reliance on middleware for critical security enforcement. Finally, organizations should monitor security advisories for any emerging exploits and apply patches promptly.