633 matches found
NPM: Nitro has an Open Redirect via Protocol-Relative URL Bypass in Wildcard Route Rules
NPM: Nitro has an Open Redirect via Protocol-Relative URL Bypass in Wildcard Route Rules vulnerability discovered by ? in WordPress Npm nitropack versions 2.13.4...
GHSA-9PHM-9P8F-HW5M Nitro has an Open Redirect via Protocol-Relative URL Bypass in Wildcard Route Rules
A redirect route rule like: ts routeRules: "/legacy/": redirect: "/" is intended to rewrite paths within the same host. Before the patch, an attacker could turn the rewrite into a cross-host redirect by sliding an extra slash in after the rule prefix. Example exploit: GET /legacy//evil.com Nitro...
@100x/application (>=0.0.1 <=0.0.6), @aero-js/cli (=0.4.0) +39 more potentially affected by CVE-2026-44372 via nitro (>=3.0.0 <=3.0.260415-beta)
nitro NPM version =3.0.0, =0.0.1, =0.3.3, =0.3.3, =0.3.3, =0.3.3, =0.3.3, =0.1.0, =0.1.0, =0.4.2, =2.4.0-alpha.2, =2.4.0-alpha.2, =3.0.0-alpha.55 and more Source cves: CVE-2026-44372 Source advisory: SNYK:JS-NITRO-16757947...
Nitro has an Open Redirect via Protocol-Relative URL Bypass in Wildcard Route Rules
A redirect route rule like: ts routeRules: "/legacy/": redirect: "/" is intended to rewrite paths within the same host. Before the patch, an attacker could turn the rewrite into a cross-host redirect by sliding an extra slash in after the rule prefix. Example exploit: GET /legacy//evil.com Nitro...
Directory Traversal
Overview nitro is a Build and Deploy Universal JavaScript Servers Affected versions of this package are vulnerable to Directory Traversal via the routeRules function. An attacker can access files or endpoints outside the intended proxy scope by sending specially crafted URLs containing...
@100x/application (>=0.0.1 <=0.0.6), @aero-js/cli (=0.4.0) +39 more potentially affected by CVE-2026-44373 via nitro (>=3.0.0 <=3.0.260415-beta)
nitro NPM version =3.0.0, =0.0.1, =0.3.3, =0.3.3, =0.3.3, =0.3.3, =0.3.3, =0.1.0, =0.1.0, =0.4.2, =2.4.0-alpha.2, =2.4.0-alpha.2, =3.0.0-alpha.55 and more Source cves: CVE-2026-44373 Source advisory: SNYK:JS-NITRO-16757954...
NPM: Nitro has a proxy scope bypass via percent-encoded path traversal in `routeRules`
NPM: Nitro has a proxy scope bypass via percent-encoded path traversal in routeRules vulnerability discovered by ? in WordPress Npm nitropack versions 2.13.4...
GHSA-5W89-W975-HF9Q Nitro has a proxy scope bypass via percent-encoded path traversal in `routeRules`
A proxy route rule like: ts routeRules: "/api/orders/": proxy: to: "http://upstream/orders/" is intended to limit the proxy to URLs under /api/orders/. Before the patch, an attacker could bypass that scope by sending percent-encoded path traversal ..%2f in the URL, causing Nitro to forward a...
@100x/application (>=0.0.1 <=0.0.6), @aero-js/cli (=0.4.0) +42 more potentially affected by CVE-2026-44373 via nitro (>=0.0.0 <=3.0.260415-beta)
nitro NPM version =0.0.0, =0.0.1, =0.3.3, =0.3.3, =0.3.3, =0.3.3, =0.3.3, =0.1.0, =0.1.0, =0.4.2, =2.4.0-alpha.2, =2.4.0-alpha.2, =3.0.0-alpha.55 and more Source cves: CVE-2026-44373 Source advisory: OSV:GHSA-5W89-W975-HF9Q...
@bicou/countries-server (>=1.6.0 <=1.6.7), @gabortorma/feathers-nitro-adapter (>=0.5.0 <=0.6.0) +10 more potentially affected by CVE-2026-44373 via nitropack (>=2.10.4 <=2.13.1)
nitropack NPM version =2.10.4, =1.6.0, =0.5.0, =0.6.1, =1.0.0, =4.0.0, =4.0.0-29145487.7beaa672, =2.0.0-beta.131, =1.0.2, =4.0.0, =0.1.0, =4.0.0-29145487.7beaa672, =4.0.1-29212698.365e81c1 Source cves: CVE-2026-44373 Source advisory: SNYK:JS-NITROPACK-16757953...
NPM: Nitro has a proxy scope bypass via percent-encoded path traversal in `routeRules`
NPM: Nitro has a proxy scope bypass via percent-encoded path traversal in routeRules vulnerability discovered by ? in WordPress Npm nitro versions 3.0.260429-beta...
Nitro has a proxy scope bypass via percent-encoded path traversal in `routeRules`
A proxy route rule like: ts routeRules: "/api/orders/": proxy: to: "http://upstream/orders/" is intended to limit the proxy to URLs under /api/orders/. Before the patch, an attacker could bypass that scope by sending percent-encoded path traversal ..%2f in the URL, causing Nitro to forward a...
Low: aws-nitro-tpm-tools
Issue Overview: time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used...
CVE-2025-69627
Nitro PDF Pro for Windows 14.41.1.4 contains a heap use-after-free vulnerability in the implementation of the JavaScript method this.mailDoc. During execution, an internal XID object is allocated and then freed prematurely, after which the freed pointer is still passed into UI and logging helper...
Medium: oci-add-hooks
Issue Overview: url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. CVE-2026-25679 On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which t...
Medium: amazon-ecr-credential-helper
Issue Overview: url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. CVE-2026-25679 On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which t...
Amazon Linux 2 : oci-add-hooks, --advisory ALAS2NITRO-ENCLAVES-2026-096 (ALASNITRO-ENCLAVES-2026-096)
The version of oci-add-hooks installed on the remote host is prior to 0-0.8.20200504git325a340. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2NITRO-ENCLAVES-2026-096 advisory. url.Parse insufficiently validated the host/authority component and accepted some...
EUVD-2025-209415
A NULL pointer dereference in Nitro PDF Pro for Windows v14.41.1.4 allows attackers to cause a Denial of Service DoS via a crafted XFA packet...
EUVD-2025-209419
Nitro PDF Pro for Windows 14.41.1.4 contains a heap use-after-free vulnerability in the implementation of the JavaScript method this.mailDoc. During execution, an internal XID object is allocated and then freed prematurely, after which the freed pointer is still passed into UI and logging helper...
EUVD-2025-209417
Nitro PDF Pro for Windows 14.41.1.4 contains a NULL pointer dereference vulnerability in the JavaScript implementation of app.alert. When app.alert is called with more than one argument and the first argument evaluates to null for example, app.alertapp.activeDocs, true when app.activeDocs is null...