CVE-2026-44373
MEDIUMNitro: Proxy scope bypass via percent-encoded path traversal in `routeRules`
Title source: cnaDescription
Nitro is a next generation server toolkit. Prior to 3.0.260429-beta, an attacker could bypass a proxy route rule by sending percent-encoded path traversal (..%2f) in the URL, causing Nitro to forward a request that the upstream resolved outside the configured scope. This vulnerability is fixed in 3.0.260429-beta.
References (5)
Core 5
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/nitrojs/nitro/security/advisories/GHSA-5w89-w975-hf9q
X_Refsource_Misc x_refsource_misc
https://github.com/nitrojs/nitro/pull/4222
X_Refsource_Misc x_refsource_misc
https://github.com/nitrojs/nitro/pull/4223
X_Refsource_Misc x_refsource_misc
https://github.com/nitrojs/nitro/releases/tag/v2.13.4
X_Refsource_Misc x_refsource_misc
https://github.com/nitrojs/nitro/releases/tag/v3.0.260429-beta
Scores
CVSS v3
5.3
EPSS
0.0006
EPSS Percentile
17.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (4)
nitrojs/nitro
< 3.0.260429-beta
nitrojs/nitropack
< 2.13.4
npm/nitro
0 - 3.0.260429-betanpm
npm/nitropack
0 - 2.13.4npm
Published
May 13, 2026
Tracked Since
May 14, 2026