chore(deps): update dependency @nestjs/platform-fastify to v11.1.11 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@nestjs/platform-fastify (source)	11.1.6 → 11.1.11

GitHub Vulnerability Alerts

CVE-2025-69211

A NestJS application is vulnerable if it meets all of the following criteria:

1. Platform: Uses @nestjs/platform-fastify.
2. Security Mechanism: Relies on NestMiddleware (via MiddlewareConsumer) for security checks (authentication, authorization, etc.), or through app.use()
3. Routing: Applies middleware to specific routes using string paths or controllers (e.g., .forRoutes('admin')).
   Example Vulnerable Config:

// app.module.ts
export class AppModule implements NestModule {
  configure(consumer: MiddlewareConsumer) {
    consumer
      .apply(AuthMiddleware) // Security check
      .forRoutes('admin');   // Vulnerable: Path-based restriction
  }
}

Attack Vector:

• Target Route: /admin
• Middleware Path: admin
• Attack Request: GET /%61dmin
• Result: Middleware is skipped (no match on %61dmin), but controller for /admin is executed.

Consequences:

• Authentication Bypass: Unauthenticated users can access protected routes.
• Authorization Bypass: Restricted administrative endpoints become accessible to lower-privileged users.
• Input Validation Bypass: Middleware performing sanitization or validation can be skipped.

Patches

Patched in @nestjs/platform-fastify@11.1.11

Resources

Credit goes to Hacktron AI for reporting this issue.

Severity

• CVSS Score: 6.9 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

---

Release Notes

nestjs/nest (@​nestjs/platform-fastify)

v11.1.11

Compare Source

v11.1.11 (2025-12-29)

Bug fixes

• platform-fastify
  • #​16135 fix(platform-fastify): middie bypassing through decoded chars (@​kamilmysliwiec)
• core
  • #​16133 fix(core): add missing catch handler for forward-ref provider resolution (@​coti-z)

Dependencies

• platform-socket.io
  • #​16125 fix(deps): update dependency socket.io to v4.8.3 (@​renovate[bot])
  • #​16114 chore(deps): bump socket.io from 4.8.1 to 4.8.2 (@​dependabot[bot])
• platform-fastify
  • #​16130 fix(deps): update dependency @​fastify/static to v9 (@​renovate[bot])
• common
  • #​16127 chore(deps): bump file-type from 21.1.1 to 21.2.0 (@​dependabot[bot])

Committers: 3

• Himanshu Gupta (@​manureja64)
• Kamil Mysliwiec (@​kamilmysliwiec)
• coti (@​coti-z)

v11.1.10

Compare Source

v11.1.10 (2025-12-22)

Bug fixes

• core
  • #​16098 fix(core): instantiate nested transient providers in static context (@​mag123c)
  • #​16005 fix(core): resolve all providers when using resolve() with each option (@​malkovitc)
• microservices
  • #​16072 fix(microservices): fix grpc stream method return type (@​shash-hq)
• common
  • #​16077 fix(common): resolve file-type path explicitly (@​shash-hq)
  • #​16013 fix(common): Support fallbackToMimetype without buffer (@​chenjieya)

Enhancements

• common
  • #​16100 fix(common): improve error handling in FileTypeValidator (@​malkovitc)
  • #​16060 feat(common): add message property to file type validator (@​Jo-Minseok)
  • #​16079 fix: enhance ValidationPipe (@​liu-jin-yi)
• core
  • #​15721 feat(core): add Promise support for SSE handlers (@​pythonjsgo)
• microservices
  • #​15975 feat(microservices): add keepalive support for server side (@​OlegStrokan)
• common, core
  • #​15986 feat(core): add option for async logger compatibility (@​mag123c)

Dependencies

• platform-fastify
  • #​16041 fix(deps): update dependency @​fastify/cors to v11.2.0 (@​renovate[bot])
• platform-express
  • #​16002 fix(deps): update dependency express to v5.2.1 (@​renovate[bot])
• common
  • #​15948 chore(deps): bump file-type from 21.1.0 to 21.1.1 (@​dependabot[bot])

Committers: 11

• Alexander (@​pythonjsgo)
• J_Coder (@​Jo-Minseok)
• Luke Son (@​KAPUIST)
• Oleh Strokan (@​OlegStrokan)
• Praveen Somasundaram (@​som14062005)
• Shashank (@​shash-hq)
• @​chenjieya
• @​giorgikakauridze
• @​mag123c
• chernomortsev evgeny (@​malkovitc)
• liu-jin-yi (@​liu-jin-yi)

v11.1.9

Compare Source

v11.1.9 (2025-11-14)

Bug fixes

• core
  • #​15865 fix(core): make get() throw for implicitly request-scoped trees (@​JoeNutt)

Enhancements

• common
  • #​15863 feat(common): add method options to @​sse decorator (@​TomerSteinberg)

Dependencies

• platform-fastify
  • #​15899 chore(deps): bump fastify from 5.6.1 to 5.6.2 (@​dependabot[bot])

Committers: 4

• Rami (@​JoeNutt)
• Rhynel Algopera (@​dev-rhynel)
• Tomer Steinberg (@​TomerSteinberg)
• WuMingDao (@​WuMingDao)

v11.1.8

Compare Source

v11.1.8 (2025-10-27)

Bug fixes

• core
  • #​15815 fix(core): ensure nested transient provider isolation (@​mag123c)
• platform-fastify
  • #​15831 fix(fastify): Migrate fastify top-level options to routerOptions (@​kim-sung-jee)

Committers: 2

• JaeHo Jang (@​mag123c)
• Seongjee Kim (@​kim-sung-jee)

v11.1.7

Compare Source

v11.1.7 (2025-10-21)

Bug fixes

• microservices
  • #​15747 Fix/rmq microservice fanout bind (@​slon2015)
• platform-fastify
  • #​15732 fix: correct parameter type in RouteConstraints decorator (@​thedv91)
• core
  • #​15571 fix(core): skip lifecycle hooks for non-instantiated transient services (@​mag123c)
• common
  • #​15577 Add color allowance check to console logger options (@​kerryChen95)

Enhancements

• common, platform-socket.io, websockets
  • #​15543 feat(websockets): allow manual acknowledgement handling with @​Ack() decorator (@​kim-sung-jee)
• common
  • #​15705 fix(core): resolve extras in configurable module builder async methods (@​mag123c)
• common, core
  • #​15503 feat(common): add force-console option to console logger (@​mag123c)
• core
  • #​15588 fix(core): improve dependency resolution error messages (@​at7211)
• microservices
  • #​15598 feat(errors): add InvalidTcpDataReceptionException for handling TCP receive errors​ (@​ghyghoo8)

Dependencies

• platform-fastify
  • #​15664 chore(deps): bump fastify to 5.6.1 (@​dependabot[bot])
• core, platform-express, platform-fastify
  • #​15622 fix(deps): update dependency path-to-regexp to v8.3.0 (@​renovate[bot])
• common
  • #​15566 chore(deps): bump load-esm from 1.0.2 to 1.0.3 (@​dependabot[bot])

Committers: 9

• Harry (@​thedv91)
• JaeHo Jang (@​mag123c)
• Jay-Chou (@​at7211)
• Kerry (@​kerryChen95)
• Micael Levi L. Cavalcante (@​micalevisk)
• Seongjee Kim (@​kim-sung-jee)
• SerafimGerasimov (@​slon2015)
• @​Olexandr88
• ghy (@​ghyghoo8)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.