GHSA-9PHM-9P8F-HW5M

Vulnerability from github – Published: 2026-05-06 23:02 – Updated: 2026-05-06 23:02
VLAI?
Summary
Nitro has an Open Redirect via Protocol-Relative URL Bypass in Wildcard Route Rules
Details

A redirect route rule like:

routeRules: {
  "/legacy/**": { redirect: "/**" }
}

is intended to rewrite paths within the same host. Before the patch, an attacker could turn the rewrite into a cross-host redirect by sliding an extra slash in after the rule prefix. Example exploit:

GET /legacy//evil.com

Nitro stripped /legacy from the matched pathname and joined the remainder against the rule's target. The remainder was //evil.com, which the join preserved verbatim, so Nitro responded with Location: //evil.com. Browsers resolve //evil.com as a protocol-relative URL against the current scheme, sending the user to https://evil.com.

Are you affected?

Users may be affected if all of the following are true:

  1. Their project uses Nitro's routeRules with a redirect entry.
  2. The target uses a /** wildcard suffix to forward sub-paths (e.g. redirect: "/**", redirect: "/new/**", proxy: { to: "http://upstream/**" }).
  3. The redirect rule is not handled natively at the CDN layer. The vercel, netlify, cloudflare-pages, and edgeone presets translate routeRules.redirect into platform config (vercel.json, _redirects, EdgeOne v3 config) and serve the redirect at the edge — those deployments bypass the Nitro runtime entirely and are not affected. Every other preset executes the redirect through the Nitro runtime and can be vulnerable.

Impact

Open redirect from any host serving Nitro with a wildcard redirect rule. The redirect target is fully attacker-controlled, the URL looks legitimate (it starts with the victim's domain), and the browser silently follows it.

Patched versions

Upgrade to one of:

  • 2.13.4 or later (or upgrade lockfile with latest ufo 1.6.4+)
  • 3.0.260429-beta or later (https://github.com/nitrojs/nitro/pull/4236)

The fix has two parts:

  1. ufo is bumped to ^1.6.4 (unjs/ufo@5cd9e67), which collapses any run of leading slashes to a single / inside withoutBase. This covers the typical "/scope/**" rule.
  2. The Nitro runtime additionally collapses leading // before joining when the rule path itself is /** (in rare case which case withoutBase is never called and the raw pathname flows straight into joinURL("", …)).
Severity ?
5.3 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "nitro"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.260429-beta"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "nitropack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.13.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44372"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-06T23:02:45Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "A redirect route rule like:\n\n```ts\nrouteRules: {\n  \"/legacy/**\": { redirect: \"/**\" }\n}\n```\n\nis intended to rewrite paths within the same host. Before the patch, an attacker could turn the rewrite into a cross-host redirect by sliding an extra slash in after the rule prefix. Example exploit:\n\n```\nGET /legacy//evil.com\n```\n\nNitro stripped `/legacy` from the matched pathname and joined the remainder against the rule\u0027s target. The remainder was `//evil.com`, which the join preserved verbatim, so Nitro responded with `Location: //evil.com`. Browsers resolve `//evil.com` as a protocol-relative URL against the current scheme, sending the user to `https://evil.com`. \n\n### Are you affected?\n\nUsers may be affected if **all** of the following are true:\n\n1. Their project uses Nitro\u0027s `routeRules` with a `redirect` entry.\n2. The target uses a `/**` wildcard suffix to forward sub-paths (e.g. `redirect: \"/**\"`, `redirect: \"/new/**\"`, `proxy: { to: \"http://upstream/**\" }`).\n3. The `redirect` rule is _not_ handled natively at the CDN layer. The `vercel`, `netlify`, `cloudflare-pages`, and `edgeone` presets translate `routeRules.redirect` into platform config (`vercel.json`, `_redirects`, EdgeOne v3 config) and serve the redirect at the edge \u2014 those deployments bypass the Nitro runtime entirely and are not affected. Every other preset executes the redirect through the Nitro runtime and can be vulnerable.\n\n## Impact\n\nOpen redirect from any host serving Nitro with a wildcard `redirect` rule. The redirect target is fully attacker-controlled, the URL looks legitimate (it starts with the victim\u0027s domain), and the browser silently follows it.\n\n## Patched versions\n\nUpgrade to one of:\n\n- [2.13.4](https://github.com/nitrojs/nitro/releases/tag/v2.13.4) or later (or upgrade lockfile with latest ufo 1.6.4+)\n- [3.0.260429-beta](https://github.com/nitrojs/nitro/releases/tag/v3.0.260429-beta) or later (https://github.com/nitrojs/nitro/pull/4236)\n\nThe fix has two parts:\n\n1. `ufo` is bumped to `^1.6.4` ([unjs/ufo@5cd9e67](https://github.com/unjs/ufo/commit/5cd9e676711af3f4e4b5398ddf6ca8d52c1c7e1f)), which collapses any run of leading slashes to a single `/` inside `withoutBase`. This covers the typical `\"/scope/**\"` rule.\n2. The Nitro runtime additionally collapses leading `//` before joining when the rule path itself is `/**` (in rare case which case `withoutBase` is never called and the raw pathname flows straight into `joinURL(\"\", \u2026)`).",
  "id": "GHSA-9phm-9p8f-hw5m",
  "modified": "2026-05-06T23:02:45Z",
  "published": "2026-05-06T23:02:45Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nitrojs/nitro/security/advisories/GHSA-9phm-9p8f-hw5m"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nitrojs/nitro/pull/4236"
    },
    {
      "type": "WEB",
      "url": "https://github.com/unjs/ufo/commit/5cd9e676711af3f4e4b5398ddf6ca8d52c1c7e1f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nitrojs/nitro"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nitrojs/nitro/releases/tag/v2.13.4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nitrojs/nitro/releases/tag/v3.0.260429-beta"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Nitro has an Open Redirect via Protocol-Relative URL Bypass in Wildcard Route Rules"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.