CVE-2026-44373
Nitro: Proxy scope bypass via percent-encoded path traversal in `routeRules`
CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th
Nitro is a next generation server toolkit. Prior to 3.0.260429-beta, an attacker could bypass a proxy route rule by sending percent-encoded path traversal (..%2f) in the URL, causing Nitro to forward a request that the upstream resolved outside the configured scope. This vulnerability is fixed in 3.0.260429-beta.
| CWE | CWE-22 |
| Vendor | nitrojs |
| Product | nitro |
| Published | May 13, 2026 |
Stay Ahead of the Next One
Get instant alerts for nitrojs nitro
Be the first to know when new medium vulnerabilities affecting nitrojs nitro are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Affected Versions
nitrojs / nitro
< 3.0.260429-beta
nitrojs / nitropack
< 2.13.4
References
github.com: https://github.com/nitrojs/nitro/security/advisories/GHSA-5w89-w975-hf9q github.com: https://github.com/nitrojs/nitro/pull/4222 github.com: https://github.com/nitrojs/nitro/pull/4223 github.com: https://github.com/nitrojs/nitro/releases/tag/v2.13.4 github.com: https://github.com/nitrojs/nitro/releases/tag/v3.0.260429-beta