Nitro Open Redirect Vulnerability via Wildcard Route Rule Bypass

A cross-host open redirect vulnerability has been identified in Nitro versions prior to 3.0.260429-beta. The issue arises in redirect route rules that use wildcards, allowing an attacker to manipulate the redirect target by adding an extra slash after the rule prefix. This exploitation could lead to redirects to malicious sites, with the browser following the link without any user interaction.

Impact

Exploitation of this vulnerability allows for open redirects to attacker-controlled URLs, bypassing the intended same-host redirect functionality. The redirects are executed silently by the browser, potentially leading to phishing or other malicious activities.

Reproduction

To reproduce this vulnerability, create a redirect route rule that uses wildcards, such as redirecting from '/legacy/**' to '/**'. Then, send a request that includes an extra slash after the 'legacy' prefix, targeting a different host. Nitro will strip the original path and preserve the added slashes, resulting in a cross-host redirect.

Remediation

Users are advised to upgrade to Nitro version 3.0.260429-beta or later. The fix involves updating the 'ufo' dependency and applying additional logic to collapse leading slashes in redirect rules.