{"url":"http://public2.vulnerablecode.io/api/packages/921748?format=json","purl":"pkg:npm/%40nestjs/platform-fastify@7.5.1","type":"npm","namespace":"@nestjs","name":"platform-fastify","version":"7.5.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"11.1.16","latest_non_vulnerable_version":"11.1.16","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90854?format=json","vulnerability_id":"VCID-71ms-9bju-77a8","summary":"Nest Fastify HEAD Request Middleware Bypass\n### Impact\n\nIn a NestJS application using `@nestjs/platform-fastify`, GET middleware can be bypassed because Fastify automatically redirects HEAD requests to the corresponding GET handlers (if they exist).\n\nAs a result:\n\n- Middleware will be completely skipped.\n- The HTTP response won't include a body (since the response is truncated when redirecting a HEAD request to a GET handler).\n- The actual handler will still be executed.\n\n### Patches\n\nFixed in `@nestjs/platform-fastify@11.1.16`","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33011","reference_id":"","reference_type":"","scores":[{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13545","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.1349","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13459","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13587","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13582","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33011"},{"reference_url":"https://github.com/nestjs/nest","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nestjs/nest"},{"reference_url":"https://github.com/nestjs/nest/commit/cbdf737cd6e7cefa52d05ecea2ae4af95c464614","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-20T15:48:14Z/"}],"url":"https://github.com/nestjs/nest/commit/cbdf737cd6e7cefa52d05ecea2ae4af95c464614"},{"reference_url":"https://github.com/nestjs/nest/releases/tag/v11.1.17","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-20T15:48:14Z/"}],"url":"https://github.com/nestjs/nest/releases/tag/v11.1.17"},{"reference_url":"https://github.com/nestjs/nest/security/advisories/GHSA-wf42-42fg-fg84","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-20T15:48:14Z/"}],"url":"https://github.com/nestjs/nest/security/advisories/GHSA-wf42-42fg-fg84"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33011","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33011"},{"reference_url":"https://github.com/advisories/GHSA-wf42-42fg-fg84","reference_id":"GHSA-wf42-42fg-fg84","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wf42-42fg-fg84"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/112743?format=json","purl":"pkg:npm/%40nestjs/platform-fastify@11.1.16","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540nestjs/platform-fastify@11.1.16"}],"aliases":["CVE-2026-33011","GHSA-wf42-42fg-fg84"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-71ms-9bju-77a8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50440?format=json","vulnerability_id":"VCID-7jtv-1fb5-bfa4","summary":"Duplicate Advisory: Nest has a Fastify URL Encoding Middleware Bypass\n## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-r4wm-x892-vjmx. This link is maintained to preserve external references.\n\n## Original Description\n\nA NestJS application using @nestjs/platform-fastify can allow bypass of authentication/authorization middleware when Fastify path-normalization options are enabled.\n\n\n\nThis issue affects nest.Js: 11.1.13.","references":[{"reference_url":"https://fluidattacks.com/advisories/neton","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://fluidattacks.com/advisories/neton"},{"reference_url":"https://github.com/nestjs/nest","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nestjs/nest"},{"reference_url":"https://github.com/nestjs/nest/releases/tag/v11.1.14","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nestjs/nest/releases/tag/v11.1.14"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-2293","reference_id":"CVE-2026-2293","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-2293"},{"reference_url":"https://github.com/advisories/GHSA-7q64-3rg2-h9pf","reference_id":"GHSA-7q64-3rg2-h9pf","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7q64-3rg2-h9pf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74337?format=json","purl":"pkg:npm/%40nestjs/platform-fastify@11.1.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-71ms-9bju-77a8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540nestjs/platform-fastify@11.1.14"}],"aliases":["GHSA-7q64-3rg2-h9pf"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7jtv-1fb5-bfa4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50504?format=json","vulnerability_id":"VCID-ax3k-md7j-4bcx","summary":"Nest has a Fastify URL Encoding Middleware Bypass\n_What kind of vulnerability is it? Who is impacted?_\n\nA NestJS application using `@nestjs/platform-fastify` can allow bypass of any middleware when Fastify path-normalization options (e.g., `ignoreTrailingSlash`, `ignoreDuplicateSlashes`, `useSemicolonDelimiter`) are enabled. In affected route-scoped middleware setups, variant paths may skip middleware checks while still reaching the protected handler.\n\nThe bug is a path canonicalization mismatch between middleware matching and route matching in Nest’s Fastify adapter.\n\nNest passes Fastify routerOptions (such as `ignoreTrailingSlash`, `ignoreDuplicateSlashes`, `useSemicolonDelimiter`) to the Fastify router in packages/platform-fastify/adapters/fastify-adapter.ts:253.\n\nBut middleware execution is decided by a separate regex check over `req.originalUrl` in packages/platform-fastify/adapters/fastify-adapter.ts:706 and packages/platform-fastify/adapters/fastify-adapter.ts:713.\n\nIf that regex does not match, Nest does `next()` and skips the middleware (packages/platform-fastify/adapters/fastify-adapter.ts:714), while Fastify may still normalize the same path and route it to the protected handler. So the vulnerability exists because security checks (middleware) and request dispatch(router) use different URL interpretations.\n\nThis is a fail-open design issue (inconsistent normalization), not just a bad app config: non-default router options make the mismatch reachable.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-2293.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-2293.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-2293","reference_id":"","reference_type":"","scores":[{"value":"0.00431","scoring_system":"epss","scoring_elements":"0.62956","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00431","scoring_system":"epss","scoring_elements":"0.62953","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00431","scoring_system":"epss","scoring_elements":"0.62962","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00431","scoring_system":"epss","scoring_elements":"0.62951","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00431","scoring_system":"epss","scoring_elements":"0.62938","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-2293"},{"reference_url":"https://fluidattacks.com/advisories/neton","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T17:06:38Z/"}],"url":"https://fluidattacks.com/advisories/neton"},{"reference_url":"https://github.com/nestjs/nest","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nestjs/nest"},{"reference_url":"https://github.com/nestjs/nest/commit/fd8d073e0e048b185147209338ca7042e52c10ba","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nestjs/nest/commit/fd8d073e0e048b185147209338ca7042e52c10ba"},{"reference_url":"https://github.com/nestjs/nest/releases/tag/v11.1.14","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T17:06:38Z/"}],"url":"https://github.com/nestjs/nest/releases/tag/v11.1.14"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2443367","reference_id":"2443367","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2443367"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-2293","reference_id":"CVE-2026-2293","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-2293"},{"reference_url":"https://github.com/advisories/GHSA-r4wm-x892-vjmx","reference_id":"GHSA-r4wm-x892-vjmx","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r4wm-x892-vjmx"},{"reference_url":"https://github.com/nestjs/nest/security/advisories/GHSA-r4wm-x892-vjmx","reference_id":"GHSA-r4wm-x892-vjmx","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nestjs/nest/security/advisories/GHSA-r4wm-x892-vjmx"},{"reference_url":"https://github.com/nestjs/nest/","reference_id":"nest","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-27T17:06:38Z/"}],"url":"https://github.com/nestjs/nest/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74337?format=json","purl":"pkg:npm/%40nestjs/platform-fastify@11.1.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-71ms-9bju-77a8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540nestjs/platform-fastify@11.1.14"}],"aliases":["CVE-2026-2293","GHSA-r4wm-x892-vjmx"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ax3k-md7j-4bcx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49538?format=json","vulnerability_id":"VCID-xphx-vs3y-pyf9","summary":"Nest has a Fastify URL Encoding Middleware Bypass (TOCTOU)\nA NestJS application is vulnerable if it meets all of the following criteria:\n\n1. Platform: Uses `@nestjs/platform-fastify`.\n2. Security Mechanism: Relies on `NestMiddleware` (via `MiddlewareConsumer`) for security checks (authentication, authorization, etc.), or through `app.use()`\n3. Routing: Applies middleware to specific routes using string paths or controllers (e.g., `.forRoutes('admin')`).\nExample Vulnerable Config:\n\n```ts\n// app.module.ts\nexport class AppModule implements NestModule {\nconfigure(consumer: MiddlewareConsumer) {\nconsumer\n.apply(AuthMiddleware) // Security check\n.forRoutes('admin');   // Vulnerable: Path-based restriction\n}\n}\n```\n\nAttack Vector:\n\n- Target Route: `/admin`\n- Middleware Path: `admin`\n- Attack Request: `GET /%61dmin`\n- Result: Middleware is skipped (no match on `%61dmin`), but controller for `/admin` is executed.\n\nConsequences:\n\n- Authentication Bypass: Unauthenticated users can access protected routes.\n- Authorization Bypass: Restricted administrative endpoints become accessible to lower-privileged users.\n- Input Validation Bypass: Middleware performing sanitization or validation can be skipped.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69211.json","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69211.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-69211","reference_id":"","reference_type":"","scores":[{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.0767","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07657","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07684","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00029","scoring_system":"epss","scoring_elements":"0.08861","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00029","scoring_system":"epss","scoring_elements":"0.0882","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-69211"},{"reference_url":"https://github.com/nestjs/nest","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nestjs/nest"},{"reference_url":"https://github.com/nestjs/nest/commit/c4cedda15a05aafec1e6045b36b0335ab850e771","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-12-29T16:49:53Z/"}],"url":"https://github.com/nestjs/nest/commit/c4cedda15a05aafec1e6045b36b0335ab850e771"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2425826","reference_id":"2425826","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2425826"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-69211","reference_id":"CVE-2025-69211","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-69211"},{"reference_url":"https://github.com/advisories/GHSA-8wpr-639p-ccrj","reference_id":"GHSA-8wpr-639p-ccrj","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8wpr-639p-ccrj"},{"reference_url":"https://github.com/nestjs/nest/security/advisories/GHSA-8wpr-639p-ccrj","reference_id":"GHSA-8wpr-639p-ccrj","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-12-29T16:49:53Z/"}],"url":"https://github.com/nestjs/nest/security/advisories/GHSA-8wpr-639p-ccrj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73141?format=json","purl":"pkg:npm/%40nestjs/platform-fastify@11.1.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-71ms-9bju-77a8"},{"vulnerability":"VCID-7jtv-1fb5-bfa4"},{"vulnerability":"VCID-ax3k-md7j-4bcx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540nestjs/platform-fastify@11.1.11"}],"aliases":["CVE-2025-69211","GHSA-8wpr-639p-ccrj"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xphx-vs3y-pyf9"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540nestjs/platform-fastify@7.5.1"}