VYPR
← All advisories
Medium severity5.3GHSA Advisory· Published May 13, 2026· Updated May 14, 2026

CVE-2026-44372

CVE-2026-44372

Description

Nitro is a next generation server toolkit. Prior to 3.0.260429-beta, an attacker could turn a redirect route rule using wildcards rewrite into a cross-host redirect by sliding an extra slash in after the rule prefix. This vulnerability is fixed in 3.0.260429-beta.

Affected products

1

Patches

1
5cd9e676711a

fix(withoutBase): collapse leading slashes (#335)

https://github.com/unjs/ufoPooya ParsaApr 29, 2026via ghsa
commit
2 files changed · +9 2
  • src/utils.ts+4 2 modified
    @@ -328,8 +328,10 @@ export function withoutBase(input: string, base: string) {
   if (nextChar && nextChar !== "/" && nextChar !== "?") {
     return input;
   }
-  const trimmed = input.slice(_base.length);
-  return trimmed[0] === "/" ? trimmed : "/" + trimmed;
+  // Collapse leading slashes to prevent protocol-relative URL injection
+  // e.g. withoutBase("/legacy//evil.com", "/legacy") must not return "//evil.com"
+  const trimmed = input.slice(_base.length).replace(/^\/+/, "");
+  return "/" + trimmed;
 }
 
 /**
  • test/base.test.ts+5 0 modified
    @@ -62,6 +62,11 @@ describe("withoutBase", () => {
     },
     { base: "/admin", input: "/admin-dashboard", out: "/admin-dashboard" },
     { base: "/admin/", input: "/admin/dashboard", out: "/dashboard" },
+    // Collapse leading "//" to prevent protocol-relative URL injection
+    { base: "/legacy", input: "/legacy//evil.com", out: "/evil.com" },
+    { base: "/legacy/", input: "/legacy//evil.com", out: "/evil.com" },
+    { base: "/legacy", input: "/legacy///evil.com", out: "/evil.com" },
+    { base: "/legacy", input: "/legacy//", out: "/" },
   ];
 
   for (const t of tests) {

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.