EXECUTIVE SUMMARY:
The vulnerability CVE-2026-33011 is a high-severity issue affecting the @nestjs /platform-fastify package, where all versions up to 11.1.15 are vulnerable. It has a CVSS score of 8.7, indicating a significant security risk with network-based exploitation and no requirement for privileges or user interaction. The flaw arises due to Fastify automatically mapping HEAD requests to corresponding GET handlers, which leads to unintended execution paths. This behavior allows attackers to bypass middleware protections entirely, as security controls applied to GET routes are skipped when a HEAD request is used. Despite bypassing middleware, the underlying route handler is still executed, creating a gap in enforcement of authentication or validation logic. The vulnerability primarily impacts integrity, enabling unauthorized actions or manipulation of application behavior without triggering expected safeguards. Confidentiality and availability impacts are minimal, but the integrity impact is considered high due to unauthorized execution. This issue can be exploited remotely over the network, increasing its exposure in real-world deployments.
RECOMMENDATION:
We strongly recommend you update @nestjs /platform-fastify to version 11.1.16.
REFERENCES:
The following reports contain further technical details: