Advisories for Npm/Nitro package

A redirect route rule like: routeRules: { "/legacy/": { redirect: "/" } } is intended to rewrite paths within the same host. Before the patch, an attacker could turn the rewrite into a cross-host redirect by sliding an extra slash in after the rule prefix. Example exploit: GET /legacy//evil.com Nitro stripped /legacy from the matched pathname and joined the remainder against the rule's target. The remainder was //evil.com, which the …

A proxy route rule like: routeRules: { "/api/orders/": { proxy: { to: "http://upstream/orders/" } } } is intended to limit the proxy to URLs under /api/orders/. Before the patch, an attacker could bypass that scope by sending percent-encoded path traversal (..%2f) in the URL, causing Nitro to forward a request that the upstream resolved outside the configured scope. Example exploit: GET /api/orders/..%2fadmin%2fconfig.json Nitro sees ..%2f as opaque characters at match …