Nitro Path Traversal Vulnerability Allowing Proxy Scope Bypass

A vulnerability in Nitro, a server toolkit, prior to version 3.0.260429-beta, allows attackers to bypass proxy route rules by sending percent-encoded path traversal sequences in the URL. This manipulation causes Nitro to forward requests that the upstream server resolves outside the intended scope, potentially exposing sensitive endpoints or data.

Impact

Exploitation of this vulnerability could lead to unauthorized access to internal admin endpoints, secret endpoints, or other services that were believed to be protected by the proxy scope rules.

Reproduction

To reproduce this vulnerability, create a proxy route rule in Nitro that uses a wildcard suffix to forward sub-paths. Then, send a request that includes percent-encoded path traversal sequences to bypass the scope restriction. Nitro will forward the request to the upstream server, which may decode the traversal sequence and grant access to restricted resources.

Remediation

Upgrade to Nitro version 3.0.260429-beta or 2.13.4. The fix canonicalizes the incoming pathname before building the upstream URL and rejects out-of-scope requests with a 400 Bad Request response.