Nitro, a server toolkit, has a proxy configuration flaw that allows a crafted URL containing a percent‑encoded path traversal sequence (..%2f) to bypass the intended routing scope. When the request is processed, Nitro forwards it to a location that may resolve to an upstream resource outside the defined proxy boundaries, potentially exposing sensitive endpoints that should be restricted. This vulnerability is a form of path traversal (CWE‑22) that compromises request isolation within Nitro applications.

The affected product is NitroJS Nitro (including NitroPack), with all releases prior to version 3.0.260429‑beta vulnerable. Versions newer than or equal to 3.0.260429‑beta contain the fix. Enterprise users deploying Nitro on web servers, API gateways, or edge runtimes should verify their version and apply the necessary update.

The CVSS score of 5.3 indicates moderate overall risk. No EPSS score is currently available, so the exact likelihood of exploitation remains uncertain. The vulnerability is not listed in the CISA KEV catalog. An attacker would need to send a specially crafted HTTP request to a Nitro instance; the path traversal must be percent‑encoded to be interpreted correctly by Nitro's routeRules parser. Successful exploitation would allow the attacker to access upstream resources outside the intended proxy scope, potentially leaking data or escalating privileges within the hosted application.