GHSA-9phm-9p8f-hw5m
Suggest an improvement- Source
- https://github.com/advisories/GHSA-9phm-9p8f-hw5m
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-9phm-9p8f-hw5m/GHSA-9phm-9p8f-hw5m.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-9phm-9p8f-hw5m
- Aliases
-
- CVE-2026-44372
- Published
- 2026-05-06T23:02:45Z
- Modified
- 2026-05-06T23:18:54.169729Z
- Severity
-
- 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
- Summary
- Nitro has an Open Redirect via Protocol-Relative URL Bypass in Wildcard Route Rules
- Details
-
A redirect route rule like:
routeRules: { "/legacy/**": { redirect: "/**" } }is intended to rewrite paths within the same host. Before the patch, an attacker could turn the rewrite into a cross-host redirect by sliding an extra slash in after the rule prefix. Example exploit:
GET /legacy//evil.comNitro stripped
/legacyfrom the matched pathname and joined the remainder against the rule's target. The remainder was//evil.com, which the join preserved verbatim, so Nitro responded withLocation: //evil.com. Browsers resolve//evil.comas a protocol-relative URL against the current scheme, sending the user tohttps://evil.com.Are you affected?
Users may be affected if all of the following are true:
- Their project uses Nitro's
routeRuleswith aredirectentry. - The target uses a
/**wildcard suffix to forward sub-paths (e.g.redirect: "/**",redirect: "/new/**",proxy: { to: "http://upstream/**" }). - The
redirectrule is not handled natively at the CDN layer. Thevercel,netlify,cloudflare-pages, andedgeonepresets translaterouteRules.redirectinto platform config (vercel.json,_redirects, EdgeOne v3 config) and serve the redirect at the edge — those deployments bypass the Nitro runtime entirely and are not affected. Every other preset executes the redirect through the Nitro runtime and can be vulnerable.
Impact
Open redirect from any host serving Nitro with a wildcard
redirectrule. The redirect target is fully attacker-controlled, the URL looks legitimate (it starts with the victim's domain), and the browser silently follows it.Patched versions
Upgrade to one of:
- 2.13.4 or later (or upgrade lockfile with latest ufo 1.6.4+)
- 3.0.260429-beta or later (https://github.com/nitrojs/nitro/pull/4236)
The fix has two parts:
ufois bumped to^1.6.4(unjs/ufo@5cd9e67), which collapses any run of leading slashes to a single/insidewithoutBase. This covers the typical"/scope/**"rule.- The Nitro runtime additionally collapses leading
//before joining when the rule path itself is/**(in rare case which casewithoutBaseis never called and the raw pathname flows straight intojoinURL("", …)).
- Their project uses Nitro's
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-05-06T23:02:45Z", "cwe_ids": [ "CWE-601" ], "severity": "MODERATE", "nvd_published_at": null }- References
-
- https://github.com/nitrojs/nitro/security/advisories/GHSA-9phm-9p8f-hw5m
- https://github.com/nitrojs/nitro/pull/4236
- https://github.com/unjs/ufo/commit/5cd9e676711af3f4e4b5398ddf6ca8d52c1c7e1f
- https://github.com/nitrojs/nitro
- https://github.com/nitrojs/nitro/releases/tag/v2.13.4
- https://github.com/nitrojs/nitro/releases/tag/v3.0.260429-beta
Affected packages
npm / nitro
Package
- Name
- nitro
- View open source insights on deps.dev
- Purl
- pkg:npm/nitro
npm / nitropack
Package
- Name
- nitropack
- View open source insights on deps.dev
- Purl
- pkg:npm/nitropack