Security Advisory - Published 2026-06-23 - Node.js runtime

expr-eval, NestJS Fastify, and http-proxy-middleware: check runtime trust boundaries

This Node batch is about trusted boundaries inside application code: expression compilation, middleware coverage, and proxy body handling. Patch the dependencies, then review whether user input can cross those boundaries before validation.

Defensive scope: use this page on repositories, services, and proxies you own or are approved to review. Do not test third-party routes.

Affected packages

CVEPackageAffected / fixedReviewCVSS
CVE-2026-12866expr-evalNo fixed releaseRemove untrusted toJSFunction use or replace expr-eval until a fixed release is available9.8
CVE-2026-54281@nestjs/platform-fastify< 11.1.24Upgrade NestJS to 11.1.24 or newer and review Fastify route middleware coverage8.7
CVE-2026-55603http-proxy-middleware3.0.7 / 4.1.1Upgrade http-proxy-middleware to 3.0.7 or 4.1.1 and review fixRequestBody use7.5

Owner self-check

grep -Rni '"expr-eval"\\|"@nestjs/platform-fastify"\\|"http-proxy-middleware"' package.json package-lock.json pnpm-lock.yaml yarn.lock 2>/dev/null
grep -Rni 'toJSFunction\\|new Parser\\|MiddlewareConsumer\\|forRoutes\\|FastifyAdapter\\|fixRequestBody\\|multipart/form-data' src server app 2>/dev/null | head -160
grep -Rni 'proxy\\|middleware\\|auth\\|unauthorized\\|validation\\|worker' logs var/log 2>/dev/null | tail -160

What to review

  • expr-eval: any use of `toJSFunction()` with expressions that come from users, tenants, scripts, formulas, dashboards, or workflow rules.
  • NestJS: Fastify adapter routes protected by middleware registered through `MiddlewareConsumer.forRoutes()`.
  • http-proxy-middleware: gateways that use `fixRequestBody()` after a body parser has already consumed multipart form data.
  • Logs for requests that reached privileged route handlers, upstream services, or worker processes without the expected validation record.

Safe fix path

  1. Remove untrusted expr-eval `toJSFunction()` use. If the path is required, isolate it from production secrets and customer data.
  2. Upgrade NestJS to 11.1.24 or newer and rerun route authorization tests for the Fastify adapter.
  3. Upgrade http-proxy-middleware to 3.0.7 or 4.1.1 and recheck body-parser and upstream validation behavior.
  4. Preserve proxy, API, and worker logs before rotating tokens or rebuilding containers.

Repair help

Use Ping7 CVE Repair when a public API compiles user expressions, Fastify middleware protects sensitive routes, proxy validation is split from upstream parsing, or logs need review before redeploy.

References

Author: Ping7 security team - Published: 2026-06-23 - Node runtime CVE batch - Defensive self-check only.