CVE-2026-44372

MEDIUM

Nitro: Open Redirect via Protocol-Relative URL Bypass in Wildcard Route Rules

Title source: cna
STIX 2.1

Description

Nitro is a next generation server toolkit. Prior to 3.0.260429-beta, an attacker could turn a redirect route rule using wildcards rewrite into a cross-host redirect by sliding an extra slash in after the rule prefix. This vulnerability is fixed in 3.0.260429-beta.

References (4)

Core 4
Core References
X_Refsource_Misc x_refsource_misc
https://github.com/nitrojs/nitro/pull/4236
X_Refsource_Misc x_refsource_misc
https://github.com/nitrojs/nitro/releases/tag/v2.13.4

Scores

CVSS v3 6.1
EPSS 0.0024
EPSS Percentile 14.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-601
Status published
Products (5)
nitro/nitro < 2.13.4
nitrojs/nitro < 3.0.260429-beta
nitrojs/nitropack < 2.13.4
npm/nitro 0 - 3.0.260429-betanpm
npm/nitropack 0 - 2.13.4npm
Published May 13, 2026
Tracked Since May 14, 2026