nitro 3.0.260311-beta

Direct Vulnerabilities

Known vulnerabilities in the nitro package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Directory Traversal nitro is a Build and Deploy Universal JavaScript Servers Affected versions of this package are vulnerable to Directory Traversal via the `routeRules` function. An attacker can access files or endpoints outside the intended proxy scope by sending specially crafted URLs containing percent-encoded path traversal sequences. Note: This is only exploitable if the project uses proxy route rules with a wildcard suffix, the upstream decodes percent-encoded slashes before routing, and proxy rules are not handled natively at the CDN. How to fix Directory Traversal? Upgrade `nitro` to version 3.0.260429-beta or higher.	<3.0.260429-beta
M Open Redirect nitro is a Build and Deploy Universal JavaScript Servers Affected versions of this package are vulnerable to Open Redirect via the `routeRules` function. An attacker can redirect users to arbitrary external sites by crafting URLs with double slashes after the route prefix, causing browsers to interpret the redirect as a protocol-relative URL. This is only exploitable if the project uses `routeRules` with a `redirect` entry that includes a wildcard suffix (such as `/**`), and the redirect is not handled natively at the CDN layer (e.g., not using the `vercel`, `netlify`, `cloudflare-pages`, or `edgeone` presets). How to fix Open Redirect? Upgrade `nitro` to version 3.0.260429-beta or higher.	<3.0.260429-beta

Vulnerability

Vulnerable Version

Directory Traversal

nitro is a Build and Deploy Universal JavaScript Servers

Affected versions of this package are vulnerable to Directory Traversal via the routeRules function. An attacker can access files or endpoints outside the intended proxy scope by sending specially crafted URLs containing percent-encoded path traversal sequences.

Note:

This is only exploitable if the project uses proxy route rules with a wildcard suffix, the upstream decodes percent-encoded slashes before routing, and proxy rules are not handled natively at the CDN.

How to fix Directory Traversal?

Upgrade nitro to version 3.0.260429-beta or higher.

<3.0.260429-beta

Open Redirect

nitro is a Build and Deploy Universal JavaScript Servers

Affected versions of this package are vulnerable to Open Redirect via the routeRules function. An attacker can redirect users to arbitrary external sites by crafting URLs with double slashes after the route prefix, causing browsers to interpret the redirect as a protocol-relative URL. This is only exploitable if the project uses routeRules with a redirect entry that includes a wildcard suffix (such as /**), and the redirect is not handled natively at the CDN layer (e.g., not using the vercel, netlify, cloudflare-pages, or edgeone presets).

How to fix Open Redirect?

Upgrade nitro to version 3.0.260429-beta or higher.

<3.0.260429-beta

nitro@3.0.260311-beta

Build and Deploy Universal JavaScript Servers

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically