CVE-2026-44372: Nitro has an Open Redirect via Protocol-Relative URL Bypass in Wildcard Route Rules
A redirect route rule like:
routeRules: {
"/legacy/**": { redirect: "/**" }
}
is intended to rewrite paths within the same host. Before the patch, an attacker could turn the rewrite into a cross-host redirect by sliding an extra slash in after the rule prefix. Example exploit:
GET /legacy//evil.com
Nitro stripped /legacy from the matched pathname and joined the remainder against the rule’s target. The remainder was //evil.com, which the join preserved verbatim, so Nitro responded with Location: //evil.com. Browsers resolve //evil.com as a protocol-relative URL against the current scheme, sending the user to https://evil.com.
References
- github.com/advisories/GHSA-9phm-9p8f-hw5m
- github.com/nitrojs/nitro
- github.com/nitrojs/nitro/pull/4236
- github.com/nitrojs/nitro/releases/tag/v2.13.4
- github.com/nitrojs/nitro/releases/tag/v3.0.260429-beta
- github.com/nitrojs/nitro/security/advisories/GHSA-9phm-9p8f-hw5m
- github.com/unjs/ufo/commit/5cd9e676711af3f4e4b5398ddf6ca8d52c1c7e1f
- nvd.nist.gov/vuln/detail/CVE-2026-44372
Code Behaviors & Features
Detect and mitigate CVE-2026-44372 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →