GHSA-5w89-w975-hf9q
Path Traversal vulnerability in nitro (npm)
What is GHSA-5w89-w975-hf9q About?
This vulnerability in Nitro's `routeRules` allows attackers to bypass configured proxy scope rules using percent-encoded path traversal (`..%2f`). This can expose internal endpoints or services normally protected by the proxy. Exploitation is relatively easy if the upstream server decodes percent-encoded forward slashes.
Affected Software
- nitro
- <3.0.260429-beta
- nitropack
- <2.13.4
Technical Details
Nitro's routeRules with a proxy entry, specifically when using a /** wildcard suffix ({ proxy: { to: "http://upstream/orders/**" } }), is vulnerable to path traversal. The issue arises because Nitro, before the patch, treated percent-encoded path traversal sequences like ..%2f as opaque characters during the initial route matching phase. For example, a request like GET /api/orders/..%2fadmin%2fconfig.json would successfully match the /api/orders/** rule. However, Nitro would then forward the raw, percent-encoded path to the upstream server as /orders/..%2fadmin/config.json. If the upstream server (e.g., a static file server, a naive web server, or any system that decodes %2F into / before routing or filesystem lookup) then processes this path, the .. segment would be interpreted as a directory traversal. This allows an attacker to access resources or endpoints outside the intended /orders/ scope, such as /admin/config.json, which was meant to be inaccessible through that specific proxy rule. Modern JavaScript frameworks are generally safe, but older or less strict implementations are vulnerable.
What is the Impact of GHSA-5w89-w975-hf9q?
Successful exploitation may allow attackers to bypass proxy scope rules, accessing internal admin endpoints, secrets, or other services that should be inaccessible.
What is the Exploitability of GHSA-5w89-w975-hf9q?
Exploitation is remote and requires no authentication or special privileges. The attacker simply needs to construct a URL with percent-encoded path traversal sequences (e.g., ..%2f) in the path segment that is proxied by Nitro. The complexity of the attack is low, primarily involving payload crafting. However, a key prerequisite is that the upstream server decoding the proxy request must interpret %2F as / and consequently resolve the path traversal. If the upstream server strictly adheres to RFC 3986 and keeps %2F opaque, the attack will fail. Special conditions include having a Nitro application configured with vulnerable routeRules and an upstream server that decodes %2F. Risk factors are increased if the upstream server is legacy, a static file server, or part of a microservice architecture where intermediate layers might perform such decoding, potentially exposing sensitive internal configurations or API endpoints.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for GHSA-5w89-w975-hf9q?
Available Upgrade Options
- nitropack
- <2.13.4 → Upgrade to 2.13.4
- nitro
- <3.0.260429-beta → Upgrade to 3.0.260429-beta
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/nitrojs/nitro/security/advisories/GHSA-5w89-w975-hf9q
- https://github.com/nitrojs/nitro/releases/tag/v3.0.260429-beta
- https://github.com/nitrojs/nitro/releases/tag/v2.13.4
- https://osv.dev/vulnerability/GHSA-5w89-w975-hf9q
- https://github.com/nitrojs/nitro
- https://github.com/nitrojs/nitro/pull/4222
- https://github.com/nitrojs/nitro/pull/4223
What are Similar Vulnerabilities to GHSA-5w89-w975-hf9q?
Similar Vulnerabilities: CVE-2023-34030 , CVE-2023-46305 , CVE-2023-28155 , CVE-2022-24759 , CVE-2021-32622
