Broken Object Property Level Authorization

Broken Object Property Level Authorization NestJS naturally [CVE-2026-2293]

[Updated March 2026] Updated CVE-2026-2293

Overview

The CVE-2026-2293 issue describes a Broken Object Property Level Authorization vulnerability in NestJS applications that leverage @nestjs/platform-fastify. When Fastify path normalization options are enabled, the route matching behavior can be altered in a way that bypasses authentication or authorization middleware. In practice, this can allow an attacker to access protected endpoints by crafting URLs whose normalized forms bypass guards or middleware that would normally enforce access control. The vulnerability is tracked under CWE-863 and has been observed in NestJS deployments around version 11.1.13, making it critical for services exposing sensitive APIs via Fastify adapters to review their security posture. If exploited, attackers could access or manipulate resources they should not be able to reach, undermining confidentiality and integrity of protected data. This class of vulnerability manifests when route normalization logic interacts with middleware scope, resulting in inconsistent enforcement of access controls across normalized and non-normalized URL forms. The remediation requires not relying on path normalization for security, and instead applying robust, global authorization checks that are invariant to URL form.

Affected Versions

11.1.13

Code Fix Example

NestJS API Security Remediation 
/* Vulnerable pattern (example) */
import { NestFactory } from '@nestjs/core';
import { FastifyAdapter, NestFastifyApplication } from '@nestjs/platform-fastify';
import { AppModule } from './app.module';

async function bootstrap() {
  // Enabling path normalization could allow bypass if auth is not global
  const app = await NestFactory.create<NestFastifyApplication>(AppModule, new FastifyAdapter({
    ignoreTrailingSlash: true, // path normalization option contributing to vulnerability
    caseSensitive: false
  }));

  // Middleware intentionally scoped to a subset of routes (vulnerable pattern)
  app.use('/api/protected', (req, res, next) => {
    // pretend authentication/authorization check here (inadequate)
    next();
  });

  await app.listen(3000);
}
bootstrap();

/* Fixed version: remove reliance on path normalization and apply a global auth guard */
import { JwtAuthGuard } from './auth/jwt-auth.guard';
async function bootstrapFixed() {
  const app = await NestFactory.create<NestFastifyApplication>(AppModule, new FastifyAdapter());
  // Enforce authentication/authorization globally, independent of path normalization
  app.useGlobalGuards(new JwtAuthGuard());
  await app.listen(3000);
}
bootstrapFixed();

CVE References

More NestJS API Security Remediation Guides

View all →

Manage cookie preferences

Choose which optional cookies to allow. You can change this any time.