QwikSec

Security Database

CVE

CWE

Training

CVE-2026-44372

Published: May 13, 2026

Modified: May 14, 2026

PUBLISHED

Description

Nitro is a next generation server toolkit. Prior to 3.0.260429-beta, an attacker could turn a redirect route rule using wildcards rewrite into a cross-host redirect by sliding an extra slash in after the rule prefix. This vulnerability is fixed in 3.0.260429-beta.

Vendor	Product	Versions
nitrojs	nitro	affected `< 3.0.260429-beta`
nitrojs	nitropack	affected `< 2.13.4`

Weaknesses (CWE)

References

https://github.com/nitrojs/nitro/security/advisories/GHSA-9phm-9p8f-hw5m

x_refsource_CONFIRM

https://github.com/nitrojs/nitro/pull/4236

x_refsource_MISC

https://github.com/nitrojs/nitro/releases/tag/v2.13.4

x_refsource_MISC

https://github.com/nitrojs/nitro/releases/tag/v3.0.260429-beta

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.