PT-2026-38252 · Nitro · Nitro
Published
2026-05-06
·
Updated
2026-05-13
·
CVE-2026-44372
CVSS v4.0
5.3
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Nitro versions prior to 2.13.4
Nitro versions prior to 3.0.260429-beta
Description
An issue exists where an attacker can transform a redirect route rule using wildcards into a cross-host redirect by inserting an extra slash after the rule prefix. This occurs when the project uses
routeRules with a redirect entry and the target uses a /** wildcard suffix to forward sub-paths. The Nitro runtime strips the rule prefix and joins the remainder against the target; if the remainder starts with //, it is preserved, leading the browser to resolve it as a protocol-relative URL to an external domain. This results in an open redirect where the target is fully controlled by the attacker. This issue does not affect deployments using vercel, netlify, cloudflare-pages, or edgeone presets, as those handle redirects at the CDN layer rather than through the Nitro runtime.Recommendations
Update to version 2.13.4 or later.
Update to version 3.0.260429-beta or later.
Fix
Open Redirect
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Nitro