Leaks petshop swagger and apache LICENSE file #3581
Description
Is there an existing issue for this?
- I have searched the existing issues
Current behavior
I have correct swagger docs for our API linked at /api & /api-json and that all works fine.
Pen testing last month detected /api/api shows the petshop swagger and /api/LICENSE returns the Apache License file.
I've worked around it for now by adding an express middleware that detects accesses to /api paths that aren't directly related to our swagger UI/openAPI spec and returns 404s but this shouldn't be necessary.
Minimum reproduction code
https://github.com/nestjs/nest/tree/master/sample/11-swagger
Steps to reproduce
- Use the basic swagger example, mounted at /api
- Go to /api/api and see the petshop instead of your swagger
- Got to /api/LICENSE and get the Apache 2.0 license file
Expected behavior
/api/api should 404
/api/LICENSE should 404
Package version
11.2.0
NestJS version
11.1.6
Node.js version
22.17.1
In which operating systems have you tested?
- macOS
- Windows
- Linux
Other
