CVE-2026-44372
Open redirect vulnerability in nitro (npm)
What is CVE-2026-44372 About?
This vulnerability allows for an open redirect in Nitro's route rule processing when using wildcard suffixes for redirects. An attacker can craft a URL that bypasses the intended same-host rewrite, leading to a cross-host redirect. This is relatively easy to exploit with a specially crafted URL, potentially enabling phishing attacks.
Affected Software
- nitro
- <3.0.260429-beta
- nitropack
- <2.13.4
Technical Details
The vulnerability arises when Nitro processes a redirect route rule configured with a wildcard suffix, such as redirect: '/**'. If an attacker introduces an extra slash after the rule's prefix (e.g., /legacy//evil.com instead of /legacy/evil.com), Nitro incorrectly parses the URL. Specifically, Nitro strips the /legacy prefix, leaving //evil.com. When this remainder is joined with the rule's target, it is preserved verbatim, resulting in a Location: //evil.com header. Browsers interpret //evil.com as a protocol-relative URL and redirect the user to https://evil.com, effectively turning an intended internal rewrite into an external, attacker-controlled redirect.
What is the Impact of CVE-2026-44372?
Successful exploitation may allow attackers to redirect users to arbitrary malicious websites, facilitating phishing, credential theft, or malware distribution campaigns.
What is the Exploitability of CVE-2026-44372?
Exploitation of this vulnerability is of low complexity, as it only requires crafting a specific URL. No authentication or elevated privileges are needed, and the attack is remote. The primary prerequisites are that the target application uses Nitro's routeRules with a redirect entry, the target uses a /** wildcard, and the redirect is handled by the Nitro runtime rather than natively by a CDN. The risk of exploitation is increased in environments where routeRules.redirect is not offloaded to edge platforms like Vercel, Netlify, Cloudflare Pages, or EdgeOne.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2026-44372?
Available Upgrade Options
- nitropack
- <2.13.4 → Upgrade to 2.13.4
- nitro
- <3.0.260429-beta → Upgrade to 3.0.260429-beta
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/nitrojs/nitro/security/advisories/GHSA-9phm-9p8f-hw5m
- https://github.com/nitrojs/nitro/releases/tag/v3.0.260429-beta
- https://github.com/nitrojs/nitro/releases/tag/v2.13.4
- https://github.com/nitrojs/nitro/pull/4236
- https://osv.dev/vulnerability/GHSA-9phm-9p8f-hw5m
- https://github.com/unjs/ufo/commit/5cd9e676711af3f4e4b5398ddf6ca8d52c1c7e1f
- https://github.com/nitrojs/nitro
What are Similar Vulnerabilities to CVE-2026-44372?
Similar Vulnerabilities: CVE-2023-46747 , CVE-2023-38545 , CVE-2023-36036 , CVE-2022-41857 , CVE-2022-29007
