Description
Nitro is a next generation server toolkit. Prior to 3.0.260429-beta, an attacker could turn a redirect route rule using wildcards rewrite into a cross-host redirect by sliding an extra slash in after the rule prefix. This vulnerability is fixed in 3.0.260429-beta.
Published: 2026-05-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Nitro is a next-generation server framework that allows developers to define redirect rules with wildcard rewrite patterns. Prior to version 3.0.260429-beta, a protocol-relative URL bypass could be triggered by inserting an additional slash after the prefix of a wildcard rule, which steers the rewrite logic to redirect to an arbitrary host. This flaw enables attackers to craft URLs that, when processed by Nitro, redirect end users to hostile domains, thereby facilitating phishing or man‑in‑the‑middle attacks. The weakness is a classic Open Redirect vulnerability identified as CWE‑601.

Affected Systems

Vendors nitrojs with the nitro and nitropack products are affected. Any instance running Nitro before the 3.0.260429-beta release is vulnerable; the vulnerability remains present in earlier major releases such as 2.x.

Risk and Exploitability

The flaw carries a CVSS score of 5.3, indicating moderate severity. The EPSS score is currently unavailable, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires manipulation of server‑side redirect rules, implying the attacker likely needs administrator or developer access to modify Nitro’s configuration or to influence the routing logic. If such access is present, the attacker can redirect any user visiting a crafted URL to a malicious host.

Generated by OpenCVE AI on May 13, 2026 at 23:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade nitro to version 3.0.260429-beta or later to eliminate the wildcard redirect flaw.
  • Review all existing redirect rule configurations and remove any that employ wildcard patterns or protocol‑relative URLs; restrict rules to explicit hostnames only.
  • If upgrading immediately is not possible, temporarily disable any wildcard rewrite functionality until the patch can be applied.

Generated by OpenCVE AI on May 13, 2026 at 23:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9phm-9p8f-hw5m Nitro has an Open Redirect via Protocol-Relative URL Bypass in Wildcard Route Rules
History

Thu, 28 May 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Nitro
Nitro nitro
CPEs cpe:2.3:a:nitro:nitro:*:*:*:*:*:*:*:*
Vendors & Products Nitro
Nitro nitro
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Thu, 14 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Nitrojs
Nitrojs nitro
Nitropack
Nitropack nitropack
Vendors & Products Nitrojs
Nitrojs nitro
Nitropack
Nitropack nitropack

Wed, 13 May 2026 21:15:00 +0000

Type Values Removed Values Added
Description Nitro is a next generation server toolkit. Prior to 3.0.260429-beta, an attacker could turn a redirect route rule using wildcards rewrite into a cross-host redirect by sliding an extra slash in after the rule prefix. This vulnerability is fixed in 3.0.260429-beta.
Title Nitro: Open Redirect via Protocol-Relative URL Bypass in Wildcard Route Rules
Weaknesses CWE-601
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Nitro Nitro
Nitrojs Nitro
Nitropack Nitropack
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T15:47:06.216Z

Reserved: 2026-05-05T20:15:20.631Z

Link: CVE-2026-44372

cve-icon Vulnrichment

Updated: 2026-05-14T15:47:02.967Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T21:16:47.890

Modified: 2026-05-28T18:25:11.010

Link: CVE-2026-44372

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:33:28Z

Weaknesses