Nitro has an Open Redirect via Protocol-Relative URL Bypass in Wildcard Route Rules — CVE-2026-44372
GHSA · GitHub · CVE-2026-44372
ID
CVE-2026-44372
CVE-2026-44372
Date
Updated
Activity
Source
GHSA
GHSA
Vendor
GitHub
GitHub
Threat
medium
medium
CVSS
5.3
5.3
Summary
A redirect route rule like: ```ts routeRules: { "/legacy/**": { redirect: "/**" } } ``` is intended to rewrite paths within the same host. Before the patch, an attacker could turn the rewrite into a cross-host redirect by sliding an extra slash in after the rule prefix. Example exploit: ``` GET /legacy//evil.com ``` Nitro stripped `/legacy` from the matched pathname and joined the remainder against the rule's…
Product
npm: nitro | npm: nitropack
What to do
General, cautious steps (verify details in the official source):
- Review exposure and plan remediation based on risk and environment.
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.