Common Weakness Enumeration

CWE-863

Allowed-with-Review

Incorrect Authorization

Abstraction: Class · Status: Incomplete

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

5556 vulnerabilities reference this CWE, most recent first.

GHSA-R3J2-7G54-8MXW

Vulnerability from github – Published: 2023-01-09 21:30 – Updated: 2023-01-13 18:30
VLAI
Details

A vulnerability, which was classified as problematic, was found in jvvlee MerlinsBoard. This affects an unknown part of the component Grade Handler. The manipulation leads to improper authorization. The name of the patch is 134f5481e2914b7f096cd92a22b1e6bcb8e6dfe5. It is recommended to apply a patch to fix this issue. The identifier VDB-217713 was assigned to this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-10033"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-09T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability, which was classified as problematic, was found in jvvlee MerlinsBoard. This affects an unknown part of the component Grade Handler. The manipulation leads to improper authorization. The name of the patch is 134f5481e2914b7f096cd92a22b1e6bcb8e6dfe5. It is recommended to apply a patch to fix this issue. The identifier VDB-217713 was assigned to this vulnerability.",
  "id": "GHSA-r3j2-7g54-8mxw",
  "modified": "2023-01-13T18:30:18Z",
  "published": "2023-01-09T21:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-10033"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jvvlee/MerlinsBoard/commit/134f5481e2914b7f096cd92a22b1e6bcb8e6dfe5"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.217713"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.217713"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R3JC-HF4V-62FG

Vulnerability from github – Published: 2022-07-02 00:00 – Updated: 2022-07-12 00:00
VLAI
Details

On Ampere Altra and AltraMax devices before SRP 1.09, the the Altra reference design of UEFI accesses allows insecure access to SPI-NOR by the OS/hypervisor component.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-32295"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-01T00:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "On Ampere Altra and AltraMax devices before SRP 1.09, the the Altra reference design of UEFI accesses allows insecure access to SPI-NOR by the OS/hypervisor component.",
  "id": "GHSA-r3jc-hf4v-62fg",
  "modified": "2022-07-12T00:00:54Z",
  "published": "2022-07-02T00:00:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32295"
    },
    {
      "type": "WEB",
      "url": "https://amperecomputing.com"
    },
    {
      "type": "WEB",
      "url": "https://amperecomputing.com/products/security-bulletins/altra-spi-nor-smc-protection-for-ampere-website.html"
    },
    {
      "type": "WEB",
      "url": "https://amperecomputing.com/products/security-bulletins/altra-spi-nor-smc.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R3XW-GCPR-RF26

Vulnerability from github – Published: 2026-07-15 12:32 – Updated: 2026-07-15 12:32
VLAI
Details

PraisonAI before 1.6.78 caches tool approval decisions by tool name only, allowing attackers to reuse initial approvals for subsequent calls with arbitrary arguments. Attackers can exploit this by obtaining approval for a benign operation and then executing dangerous file write operations with unreviewed parameters in the same session.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-60087"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-15T12:18:18Z",
    "severity": "MODERATE"
  },
  "details": "PraisonAI before 1.6.78 caches tool approval decisions by tool name only, allowing attackers to reuse initial approvals for subsequent calls with arbitrary arguments. Attackers can exploit this by obtaining approval for a benign operation and then executing dangerous file write operations with unreviewed parameters in the same session.",
  "id": "GHSA-r3xw-gcpr-rf26",
  "modified": "2026-07-15T12:32:03Z",
  "published": "2026-07-15T12:32:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-29r9-67vg-qj56"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-60087"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/praisonai-before-tool-approval-cache-bypass"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-R447-VFQG-5642

Vulnerability from github – Published: 2022-08-12 00:01 – Updated: 2022-08-19 00:00
VLAI
Details

Zoom On-Premise Meeting Connector MMR before version 4.8.129.20220714 contains an improper access control vulnerability. As a result, a malicious actor can join a meeting which they are authorized to join without appearing to the other participants, can admit themselves into the meeting from the waiting room, and can become host and cause other meeting disruptions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-28753"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-11T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Zoom On-Premise Meeting Connector MMR before version 4.8.129.20220714 contains an improper access control vulnerability. As a result, a malicious actor can join a meeting which they are authorized to join without appearing to the other participants, can admit themselves into the meeting from the waiting room, and can become host and cause other meeting disruptions.",
  "id": "GHSA-r447-vfqg-5642",
  "modified": "2022-08-19T00:00:21Z",
  "published": "2022-08-12T00:01:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28753"
    },
    {
      "type": "WEB",
      "url": "https://explore.zoom.us/en/trust/security/security-bulletin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R44R-X7Q4-8HXR

Vulnerability from github – Published: 2022-08-31 00:00 – Updated: 2022-09-07 00:01
VLAI
Details

Incorrect access control in the install directory (C:\RailsInstaller) of Rubyinstaller2 v3.1.2 and below allows authenticated attackers to execute arbitrary code via overwriting binaries located in the directory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-36563"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-30T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "Incorrect access control in the install directory (C:\\RailsInstaller) of Rubyinstaller2 v3.1.2 and below allows authenticated attackers to execute arbitrary code via overwriting binaries located in the directory.",
  "id": "GHSA-r44r-x7q4-8hxr",
  "modified": "2022-09-07T00:01:53Z",
  "published": "2022-08-31T00:00:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36563"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ycdxsb/Vuln/blob/main/Railsinstaller-Vuln/Railsinstaller-Vuln.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R496-34W8-F379

Vulnerability from github – Published: 2022-09-27 00:00 – Updated: 2025-05-21 18:32
VLAI
Details

Insufficient policy enforcement in Content Security Policy in Google Chrome prior to 105.0.5195.52 allowed a remote attacker to bypass content security policy via a crafted HTML page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3056"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-693",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-26T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Insufficient policy enforcement in Content Security Policy in Google Chrome prior to 105.0.5195.52 allowed a remote attacker to bypass content security policy via a crafted HTML page.",
  "id": "GHSA-r496-34w8-f379",
  "modified": "2025-05-21T18:32:58Z",
  "published": "2022-09-27T00:00:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3056"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_30.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1329460"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/40059762"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4NMJURTG5RO3TGD7ZMIQ6Z4ZZ3SAVYE"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T4NMJURTG5RO3TGD7ZMIQ6Z4ZZ3SAVYE"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202209-23"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R4CR-8P88-HQX6

Vulnerability from github – Published: 2023-10-07 00:30 – Updated: 2024-04-04 08:23
VLAI
Details

An issue in NETIS SYSTEMS N3Mv2 v.1.0.1.865 allows a remote attacker to cause a denial of service via the authorization component in the HTTP request.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-44860"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-06T23:15:11Z",
    "severity": "HIGH"
  },
  "details": "An issue in NETIS SYSTEMS N3Mv2 v.1.0.1.865 allows a remote attacker to cause a denial of service via the authorization component in the HTTP request.",
  "id": "GHSA-r4cr-8p88-hqx6",
  "modified": "2024-04-04T08:23:55Z",
  "published": "2023-10-07T00:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44860"
    },
    {
      "type": "WEB",
      "url": "https://github.com/adhikara13/CVE/blob/main/netis_N3/Improper%20Authentication%20Mechanism%20Leading%20to%20Denial-of-Service%20%28DoS%29.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/adhikara13/CVE/blob/main/netis_N3/Improper%20Authentication%20Mechanism%20Leading%20to%20Denial-of-Service%20(DoS).md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R4PF-QG69-H279

Vulnerability from github – Published: 2023-11-20 21:31 – Updated: 2023-11-27 18:31
VLAI
Details

The WP Hotel Booking WordPress plugin before 2.0.8 does not have proper authorisation when deleting a package, allowing Contributor and above roles to delete posts that do no belong to them

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-5799"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-20T19:15:10Z",
    "severity": "MODERATE"
  },
  "details": "The WP Hotel Booking WordPress plugin before 2.0.8 does not have proper authorisation when deleting a package, allowing Contributor and above roles to delete posts that do no belong to them",
  "id": "GHSA-r4pf-qg69-h279",
  "modified": "2023-11-27T18:31:13Z",
  "published": "2023-11-20T21:31:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5799"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/3061f85e-a70e-49e5-bccf-ae9240f51178"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R4V8-9HGX-VM6M

Vulnerability from github – Published: 2022-05-13 01:49 – Updated: 2024-03-01 23:43
VLAI
Summary
Cloud Foundry UAA accepts refresh token as access token on admin endpoints
Details

Cloud Foundry UAA, versions 4.19 prior to 4.19.2 and 4.12 prior to 4.12.4 and 4.10 prior to 4.10.2 and 4.7 prior to 4.7.6 and 4.5 prior to 4.5.7, incorrectly authorizes requests to admin endpoints by accepting a valid refresh token in lieu of an access token. Refresh tokens by design have a longer expiration time than access tokens, allowing the possessor of a refresh token to authenticate longer than expected. This affects the administrative endpoints of the UAA. i.e. /Users, /Groups, etc. However, if the user has been deleted or had groups removed, or the client was deleted, the refresh token will no longer be valid.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.cloudfoundry.identity:cloudfoundry-identity-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.5.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.cloudfoundry.identity:cloudfoundry-identity-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.6.0"
            },
            {
              "fixed": "4.7.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.cloudfoundry.identity:cloudfoundry-identity-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.8.0"
            },
            {
              "fixed": "4.10.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.cloudfoundry.identity:cloudfoundry-identity-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.11.0"
            },
            {
              "fixed": "4.12.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.cloudfoundry.identity:cloudfoundry-identity-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.13.0"
            },
            {
              "fixed": "4.19.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-11047"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-01T23:43:02Z",
    "nvd_published_at": "2018-07-24T19:29:00Z",
    "severity": "HIGH"
  },
  "details": "Cloud Foundry UAA, versions 4.19 prior to 4.19.2 and 4.12 prior to 4.12.4 and 4.10 prior to 4.10.2 and 4.7 prior to 4.7.6 and 4.5 prior to 4.5.7, incorrectly authorizes requests to admin endpoints by accepting a valid refresh token in lieu of an access token. Refresh tokens by design have a longer expiration time than access tokens, allowing the possessor of a refresh token to authenticate longer than expected. This affects the administrative endpoints of the UAA. i.e. /Users, /Groups, etc. However, if the user has been deleted or had groups removed, or the client was deleted, the refresh token will no longer be valid.",
  "id": "GHSA-r4v8-9hgx-vm6m",
  "modified": "2024-03-01T23:43:03Z",
  "published": "2022-05-13T01:49:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11047"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cloudfoundry/uaa/commit/0cd3c6fdd96206a1d6a376ac62e21e59e16cdcb1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cloudfoundry/uaa/commit/2906057dae995024576ce6afdc20abd85569514"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cloudfoundry/uaa/commit/4cb1be404cf4a82e39cf2a6357aa17af8b33f2a1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cloudfoundry/uaa/commit/4fa3e351ec0bface3b693810605905e29a9a8569"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cloudfoundry/uaa/commit/5d021e83ef143c64179d0da015aa76321ee40988"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cloudfoundry/uaa/commit/81aeb7a3aa048ea086c494f725d643e48dd9266"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cloudfoundry/uaa/commit/a1d523c7f150e56bf06df8b83ed1d416d6c1d3b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cloudfoundry/uaa/commit/aba1fb5f18e0d628628b2d960fc6d0cc62d86f5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cloudfoundry/uaa/commit/b37552d2bf084de059bc965b5ef5a45e64883904"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cloudfoundry/uaa/commit/bbbba5aec514ad88e7d1e168a2519c80229f02f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cloudfoundry/uaa"
    },
    {
      "type": "WEB",
      "url": "https://www.cloudfoundry.org/blog/cve-2018-11047"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Cloud Foundry UAA accepts refresh token as access token on admin endpoints"
}

GHSA-R4WM-X892-VJMX

Vulnerability from github – Published: 2026-03-02 14:34 – Updated: 2026-03-02 14:34
VLAI
Summary
Nest has a Fastify URL Encoding Middleware Bypass
Details

Impact

What kind of vulnerability is it? Who is impacted?

A NestJS application using @nestjs/platform-fastify can allow bypass of any middleware when Fastify path-normalization options (e.g., ignoreTrailingSlash, ignoreDuplicateSlashes, useSemicolonDelimiter) are enabled. In affected route-scoped middleware setups, variant paths may skip middleware checks while still reaching the protected handler.

The bug is a path canonicalization mismatch between middleware matching and route matching in Nest’s Fastify adapter.

Nest passes Fastify routerOptions (such as ignoreTrailingSlash, ignoreDuplicateSlashes, useSemicolonDelimiter) to the Fastify router in packages/platform-fastify/adapters/fastify-adapter.ts:253.

But middleware execution is decided by a separate regex check over req.originalUrl in packages/platform-fastify/adapters/fastify-adapter.ts:706 and packages/platform-fastify/adapters/fastify-adapter.ts:713.

If that regex does not match, Nest does next() and skips the middleware (packages/platform-fastify/adapters/fastify-adapter.ts:714), while Fastify may still normalize the same path and route it to the protected handler. So the vulnerability exists because security checks (middleware) and request dispatch(router) use different URL interpretations.

This is a fail-open design issue (inconsistent normalization), not just a bad app config: non-default router options make the mismatch reachable.

Patches

Fixed in @nestjs/platform-fastify@11.1.14

References

Credit goes to Fluidattacks (Cristian Vargas) https://fluidattacks.com/advisories/neton

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 11.1.13"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@nestjs/platform-fastify"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "11.1.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-2293"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-02T14:34:12Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nA NestJS application using `@nestjs/platform-fastify` can allow bypass of any middleware when Fastify path-normalization options (e.g., `ignoreTrailingSlash`, `ignoreDuplicateSlashes`, `useSemicolonDelimiter`) are enabled. In affected route-scoped middleware setups, variant paths may skip middleware checks while still reaching the protected handler.\n\nThe bug is a path canonicalization mismatch between middleware matching and route matching in Nest\u2019s Fastify adapter.\n\nNest passes Fastify routerOptions (such as `ignoreTrailingSlash`, `ignoreDuplicateSlashes`, `useSemicolonDelimiter`) to the Fastify router in packages/platform-fastify/adapters/fastify-adapter.ts:253.\n\nBut middleware execution is decided by a separate regex check over `req.originalUrl` in packages/platform-fastify/adapters/fastify-adapter.ts:706 and packages/platform-fastify/adapters/fastify-adapter.ts:713.\n\nIf that regex does not match, Nest does `next()` and skips the middleware (packages/platform-fastify/adapters/fastify-adapter.ts:714), while Fastify may still normalize the same path and route it to the protected handler. So the vulnerability exists because security checks (middleware) and request dispatch(router) use different URL interpretations.\n\nThis is a fail-open design issue (inconsistent normalization), not just a bad app config: non-default router options make the mismatch reachable.\n\n### Patches\n\nFixed in `@nestjs/platform-fastify@11.1.14`\n\n### References\n\nCredit goes to Fluidattacks ([Cristian Vargas](https://www.linkedin.com/in/cvmiracle/)) https://fluidattacks.com/advisories/neton",
  "id": "GHSA-r4wm-x892-vjmx",
  "modified": "2026-03-02T14:34:12Z",
  "published": "2026-03-02T14:34:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nestjs/nest/security/advisories/GHSA-r4wm-x892-vjmx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2293"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nestjs/nest/commit/fd8d073e0e048b185147209338ca7042e52c10ba"
    },
    {
      "type": "WEB",
      "url": "https://fluidattacks.com/advisories/neton"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nestjs/nest"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nestjs/nest/releases/tag/v11.1.14"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Nest has a Fastify URL Encoding Middleware Bypass "
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

No CAPEC attack patterns related to this CWE.