CVE-2026-44372 PUBLISHED

Nitro: Open Redirect via Protocol-Relative URL Bypass in Wildcard Route Rules

Assigner: GitHub_M
Reserved: 05.05.2026 Published: 13.05.2026 Updated: 13.05.2026

Nitro is a next generation server toolkit. Prior to 3.0.260429-beta, an attacker could turn a redirect route rule using wildcards rewrite into a cross-host redirect by sliding an extra slash in after the rule prefix. This vulnerability is fixed in 3.0.260429-beta.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
CVSS Score: 5.3

Product Status

Vendor nitrojs
Product nitro
Versions
  • Version < 3.0.260429-beta is affected
Vendor nitrojs
Product nitropack
Versions
  • Version < 2.13.4 is affected

References

Problem Types

  • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') CWE