CVE-2026-44373

Name of the Vulnerable Software and Affected Versions Nitro versions prior to 2.13.4 Nitro versions prior to 3.0.260429-beta

Description An attacker can bypass proxy route rules by sending percent-encoded path traversal sequences (..%2f) in the URL. This occurs when Nitro treats these characters as opaque during matching, allowing a request to match a rule like "/api/orders/**" and be forwarded to an upstream server. If the upstream server decodes %2F as / before routing or filesystem lookup, it may resolve the path outside the intended scope, potentially exposing internal admin endpoints, secrets, or other restricted services.

Recommendations Update to version 2.13.4 or later. Update to version 3.0.260429-beta or later.