@100x/application (>=0.0.1 <=0.0.6), @aero-js/cli (=0.4.0) +32 more potentially affected by CVE-2026-44372 via nitro (>=1.14.9 <=3.0.260415-beta)

nitro NPM version =1.14.9, =0.0.1, =0.3.3, =0.3.3, =0.3.3, =0.3.3, =0.3.3, =0.1.0, =0.1.0, =0.4.2, =2.4.0-alpha.2, =2.4.0-alpha.2, =3.0.0-alpha.53 and more Source cves: CVE-2026-44372 Source advisory: OSV:GHSA-9PHM-9P8F-HW5M...

@100x/application (>=0.0.1 <=0.0.6), @aero-js/cli (=0.4.0) +32 more potentially affected by CVE-2026-44373 via nitro (>=1.14.9 <=3.0.260415-beta)

nitro NPM version =1.14.9, =0.0.1, =0.3.3, =0.3.3, =0.3.3, =0.3.3, =0.3.3, =0.1.0, =0.1.0, =0.4.2, =2.4.0-alpha.2, =2.4.0-alpha.2, =3.0.0-alpha.53 and more Source cves: CVE-2026-44373 Source advisory: OSV:GHSA-5W89-W975-HF9Q...

Nitro has a proxy scope bypass via percent-encoded path traversal in `routeRules`

A proxy route rule like: ts routeRules: "/api/orders/": proxy: to: "http://upstream/orders/" is intended to limit the proxy to URLs under /api/orders/. Before the patch, an attacker could bypass that scope by sending percent-encoded path traversal ..%2f in the URL, causing Nitro to forward a...