CVE-2026-44373: Nitro has a proxy scope bypass via percent-encoded path traversal in `routeRules`
A proxy route rule like:
routeRules: {
"/api/orders/**": { proxy: { to: "http://upstream/orders/**" } }
}
is intended to limit the proxy to URLs under /api/orders/. Before the patch, an attacker could bypass that scope by sending percent-encoded path traversal (..%2f) in the URL, causing Nitro to forward a request that the upstream resolved outside the configured scope. Example exploit:
GET /api/orders/..%2fadmin%2fconfig.json
Nitro sees ..%2f as opaque characters at match time, the /api/orders/** rule matched, and the raw path was forwarded to the upstream as /orders/..%2fadmin/config.json. An upstream that decodes %2F to / then resolved .. and can serve /admin/config.json outside the intended scope.
References
- github.com/advisories/GHSA-5w89-w975-hf9q
- github.com/nitrojs/nitro
- github.com/nitrojs/nitro/pull/4222
- github.com/nitrojs/nitro/pull/4223
- github.com/nitrojs/nitro/releases/tag/v2.13.4
- github.com/nitrojs/nitro/releases/tag/v3.0.260429-beta
- github.com/nitrojs/nitro/security/advisories/GHSA-5w89-w975-hf9q
- nvd.nist.gov/vuln/detail/CVE-2026-44373
Code Behaviors & Features
Detect and mitigate CVE-2026-44373 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →