5.3

CVE-2026-44373

Nitro: Proxy scope bypass via percent-encoded path traversal in `routeRules`

Nitro is a next generation server toolkit. Prior to 3.0.260429-beta, an attacker could bypass a proxy route rule by sending percent-encoded path traversal (..%2f) in the URL, causing Nitro to forward a request that the upstream resolved outside the configured scope. This vulnerability is fixed in 3.0.260429-beta.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
NitroNitro SwPlatformnode.js Version < 2.13.4
NitroNitro SwPlatformnode.js Version > 2.13.4 < 3.0.260429
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.39% 0.308
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security-advisories@github.com 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

https://github.com/nitrojs/nitro/releases/tag/v2.13.4
Release Notes
https://github.com/nitrojs/nitro/releases/tag/v3.0.260429-beta
Release Notes
https://github.com/nitrojs/nitro/security/advisories/GHSA-5w89-w975-hf9q
Third Party Advisory
https://github.com/nitrojs/nitro/pull/4222
Patch
Issue Tracking
https://github.com/nitrojs/nitro/pull/4223
Patch
Issue Tracking