Listen to this Post
Intro
CVE-2026-44373 affects Nitro, a next-generation server toolkit, prior to version 3.0.260429-beta. The vulnerability allows an attacker to bypass proxy route rules by sending percent-encoded path traversal sequences in the URL. Normally, a proxy route rule restricts which paths can be forwarded to an upstream server. However, Nitro’s request parsing logic improperly decodes percent-encoded characters before evaluating the route rule. By using `..%2f` (which decodes to ../) inside a URL path, the attacker can traverse outside the configured scope. For example, a request to `/proxy/..%2f..%2fadmin` may be interpreted as `/admin` after decoding, bypassing the intended `/proxy/` prefix constraint. Nitro then forwards this request to the upstream server, which resolves it to a path outside the allowed directory. This effectively nullifies the proxy route protection. The issue exists because Nitro’s route matching occurs before full canonicalization of the URL path. Percent-encoding of the slash (%2f) and dot (%2e) are both relevant, but the key is ..%2f. An attacker can chain multiple `..%2f` segments to reach sensitive endpoints like `/etc/passwd` or internal admin panels. The vulnerability is fixed in version 3.0.260429-beta by properly normalizing percent-encoded sequences before route rule evaluation. No additional configuration changes are required beyond updating to the patched version.
DailyCVE Form
Platform: Nitro server toolkit
Version: before 3.0.260429-beta
Vulnerability: Percent-encoded path traversal
Severity: Medium (CVSS unknown)
date: 05/13/2026
Prediction: Fixed in beta
What Undercode Say
Analytics:
Simulate percent-encoded traversal bypass curl -v "http://target:8080/proxy/..%2f..%2fadmin/config" Test with multiple encodings curl -i "http://target:8080/api/proxy/..%2f..%2f..%2fetc/passwd" Check Nitro version for vulnerability grep -E '"version":.3.0.' package.json | grep -v "3.0.260429-beta"
Exploit
Send HTTP request with `..%2f` sequence in path. Target any proxy route rule (e.g., /proxy/). Example: GET /proxy/..%2fadmin HTTP/1.1. Nitro forwards request upstream to /admin. Access restricted resources outside proxy scope.
Protection
Upgrade to Nitro version 3.0.260429-beta or later. If upgrade impossible, implement reverse proxy normalization layer. Reject requests containing %2f, %2e, or `..%2f` patterns at edge firewall.
Impact
Unauthorized access to internal endpoints. Read sensitive files. Bypass authentication enforced by proxy rules. Potential privilege escalation. Full compromise of upstream services.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

