chore(deps): update dependency @nestjs/platform-fastify to v11.1.16 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@nestjs/platform-fastify (source)	11.1.14 → 11.1.16

---

Nest Fastify HEAD Request Middleware Bypass

CVE-2026-33011 / GHSA-wf42-42fg-fg84

More information

Details

Impact

In a NestJS application using @nestjs/platform-fastify, GET middleware can be bypassed because Fastify automatically redirects HEAD requests to the corresponding GET handlers (if they exist).

As a result:

• Middleware will be completely skipped.
• The HTTP response won't include a body (since the response is truncated when redirecting a HEAD request to a GET handler).
• The actual handler will still be executed.

Patches

Fixed in @nestjs/platform-fastify@11.1.16

Severity

• CVSS Score: 8.7 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/nestjs/nest/security/advisories/GHSA-wf42-42fg-fg84
• https://github.com/nestjs/nest/commit/cbdf737cd6e7cefa52d05ecea2ae4af95c464614
• https://github.com/nestjs/nest/releases/tag/v11.1.17
• https://nvd.nist.gov/vuln/detail/CVE-2026-33011
• https://github.com/advisories/GHSA-wf42-42fg-fg84

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

nestjs/nest (@​nestjs/platform-fastify)

v11.1.16

Compare Source

v11.1.16 (2026-03-05)

Bug fixes

• microservices
  • #​16506 fix(microservices): fix double callback when isdisposed or err is truthy (@​LhonRafaat)

Dependencies

• platform-express
  • #​16507 fix(deps): update dependency multer to v2.1.1 (@​renovate[bot])

Committers: 2

• Lhon (@​LhonRafaat)
• Shahnoor Mujawar (@​shahnoormujawar)

v11.1.15

Compare Source

What's Changed

• fix(microservices): if indexOf return 0 will if will be falsy by @​cuiweixie in #​16401
• fix(microservices): introuduce max pattern depth and object complexity by @​kamilmysliwiec in #​16402
• chore(@​nestjs/core): allow override for initializeWildcardHandlersIfE… by @​StNekroman in #​16468
• chore(deps): update dependency @​fastify/middie to v9.2.0 [security] by @​renovate[bot] in #​16472
• fix(deps): update dependency multer to v2.1.0 [security] by @​renovate[bot] in #​16474

New Contributors

• @​cuiweixie made their first contribution in #​16401
• @​StNekroman made their first contribution in #​16468

Full Changelog: nestjs/nest@v11.1.14...v11.1.15

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.