chore(deps): update pnpm.catalog.dev nitropack to v2.13.4 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
nitropack	2.12.9 → 2.13.4

---

Nitro has a proxy scope bypass via percent-encoded path traversal in routeRules

CVE-2026-44373 / GHSA-5w89-w975-hf9q

More information

Details

A proxy route rule like:

routeRules: {
  "/api/orders/**": { proxy: { to: "http://upstream/orders/**" } }
}

is intended to limit the proxy to URLs under /api/orders/. Before the patch, an attacker could bypass that scope by sending percent-encoded path traversal (..%2f) in the URL, causing Nitro to forward a request that the upstream resolved outside the configured scope. Example exploit:

GET /api/orders/..%2fadmin%2fconfig.json

Nitro sees ..%2f as opaque characters at match time, the /api/orders/** rule matched, and the raw path was forwarded to the upstream as /orders/..%2fadmin/config.json. An upstream that decodes %2F to / then resolved .. and can serve /admin/config.json outside the intended scope.

Are you affected?

Users may be affected if ALL of the following are true:

1. Their project uses Nitro's routeRules with a proxy entry ({ proxy: { to: "..." } }).
2. The proxy to value uses a /** wildcard suffix to forward sub-paths.
3. The upstream behind the proxy decodes %2F as / before routing or filesystem lookup.
4. Proxy route rules are not handled natively at CDN (nitro v3 and vercel)

Whether the bypass actually leaks data depends on the upstream. Modern JS frameworks keep %2F opaque per RFC 3986 and are safe by construction.

• Safe examples: H3 v2, Express v5, Hono v4 — modern JS frameworks keep %2F opaque per RFC 3986.
• Vulnerable examples: naive imlementations that decodes the URL, static file servers, CGI dispatchers, Python os.path-based routing, anything sitting behind another layer that decodes %2F (common in microservice meshes).

Impact

Any HTTP path reachable from the Nitro server to the upstream could be requested, regardless of the configured /** scope. In typical deployments (API gateway, BFF, microservice proxy) this could expose internal admin endpoints, secrets endpoints, or other services the developer believed the scope rule fenced off.

Patched versions

Upgrade to one of:

• 2.13.4 or later (https://github.com/nitrojs/nitro/pull/4223)
• 3.0.260429-beta or later (https://github.com/nitrojs/nitro/pull/4222)

The fix canonicalizes the incoming pathname before building the upstream URL and rejects requests with 400 Bad Request if the resolved path would escape the rule's base. The bytes forwarded upstream are unchanged when the request is allowed.

Note: the fix assumes the upstream does not double-decode percent-encoding. If your upstream decodes twice (%252F → %2F → /), it remains your responsibility to harden it. Single-decode is standard.

Credits

Reported by @​mHe4am (@​he4am on HackerOne) via the Vercel Open Source program.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

• https://github.com/nitrojs/nitro/security/advisories/GHSA-5w89-w975-hf9q
• https://github.com/nitrojs/nitro/pull/4222
• https://github.com/nitrojs/nitro/pull/4223
• https://github.com/nitrojs/nitro/releases/tag/v2.13.4
• https://github.com/nitrojs/nitro/releases/tag/v3.0.260429-beta
• https://github.com/advisories/GHSA-5w89-w975-hf9q

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Nitro has an Open Redirect via Protocol-Relative URL Bypass in Wildcard Route Rules

CVE-2026-44372 / GHSA-9phm-9p8f-hw5m

More information

Details

A redirect route rule like:

routeRules: {
  "/legacy/**": { redirect: "/**" }
}

is intended to rewrite paths within the same host. Before the patch, an attacker could turn the rewrite into a cross-host redirect by sliding an extra slash in after the rule prefix. Example exploit:

GET /legacy//evil.com

Nitro stripped /legacy from the matched pathname and joined the remainder against the rule's target. The remainder was //evil.com, which the join preserved verbatim, so Nitro responded with Location: //evil.com. Browsers resolve //evil.com as a protocol-relative URL against the current scheme, sending the user to https://evil.com.

Are you affected?

Users may be affected if all of the following are true:

1. Their project uses Nitro's routeRules with a redirect entry.
2. The target uses a /** wildcard suffix to forward sub-paths (e.g. redirect: "/**", redirect: "/new/**", proxy: { to: "http://upstream/**" }).
3. The redirect rule is not handled natively at the CDN layer. The vercel, netlify, cloudflare-pages, and edgeone presets translate routeRules.redirect into platform config (vercel.json, _redirects, EdgeOne v3 config) and serve the redirect at the edge — those deployments bypass the Nitro runtime entirely and are not affected. Every other preset executes the redirect through the Nitro runtime and can be vulnerable.

Impact

Open redirect from any host serving Nitro with a wildcard redirect rule. The redirect target is fully attacker-controlled, the URL looks legitimate (it starts with the victim's domain), and the browser silently follows it.

Patched versions

Upgrade to one of:

• 2.13.4 or later (or upgrade lockfile with latest ufo 1.6.4+)
• 3.0.260429-beta or later (https://github.com/nitrojs/nitro/pull/4236)

The fix has two parts:

1. ufo is bumped to ^1.6.4 (unjs/ufo@5cd9e67), which collapses any run of leading slashes to a single / inside withoutBase. This covers the typical "/scope/**" rule.
2. The Nitro runtime additionally collapses leading // before joining when the rule path itself is /** (in rare case which case withoutBase is never called and the raw pathname flows straight into joinURL("", …)).

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References

• https://github.com/nitrojs/nitro/security/advisories/GHSA-9phm-9p8f-hw5m
• https://github.com/nitrojs/nitro/pull/4236
• https://github.com/unjs/ufo/commit/5cd9e676711af3f4e4b5398ddf6ca8d52c1c7e1f
• https://github.com/nitrojs/nitro/releases/tag/v2.13.4
• https://github.com/nitrojs/nitro/releases/tag/v3.0.260429-beta
• https://github.com/advisories/GHSA-9phm-9p8f-hw5m

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

nitrojs/nitro (nitropack)

v2.13.4

Compare Source

compare changes

[!IMPORTANT]
This release patches two medium-severity vulnerabilities in proxy and redirect route rules. Users relying on either are strongly encouraged to upgrade. See GHSA-5w89-w975-hf9q and GHSA-9phm-9p8f-hw5m for details.

🚀 Enhancements

• Add version meta (#​4194)

🩹 Fixes

• route-rules: Reject out-of-scope requests (#​4223)
• route-rules: Prevent open redirect via protocol-relative url bypass (8d6bfb0b)

🏡 Chore

❤️ Contributors

• Pooya Parsa (@​pi0)
• Rihan Arfan (@​RihanArfan)

v2.13.3

Compare Source

compare changes

📦 Dependency Updates

Package	From	To
httpxy	^0.3.1	^0.5.0
h3	^1.15.9	^1.15.10
esbuild	^0.27.4	^0.27.5
rollup	^4.59.0	^4.60.1
@vercel/nft	^1.4.0	^1.5.0
c12	^3.3.3	^3.3.4
citty	^0.2.1	^0.2.2
defu	^6.1.4	^6.1.6
globby	^16.1.1	^16.2.0
listhen	^1.9.0	^1.9.1
unstorage	^1.17.4	^1.17.5
cookie-es	^2.0.0	^2.0.1
youch	^4.1.0	^4.1.1

v2.13.2

Compare Source

compare changes

[!NOTE]
This release upgrades h3 to latest 1.15.9 which contains security fixes.

🩹 Fixes

• prerender: Skip writing routes with .. or outside of public dir (81f76800)
• prerender: Mark invalid routes as skipped (9cb795c7)

📖 Documentation

• Fix icon assets (#​4022)

Preset Changes

• vercel: Add types and docs for isr.exposeErrBody (f7753152)

❤️ Contributors

• Pooya Parsa (@​pi0)
• Restent Ou (@​gxres042)
• Kricsleo (@​kricsleo)

v2.13.1

Compare Source

compare changes

This release mainly updates dependencies (696dc3a9)

• h3@​1.15.5 released with security fix (release notes)
• unstorage@v1.17.4 released with chokidar, lru-cache, and h3 dependency bumps (release notes)

v2.13.0

Compare Source

compare changes

🚀 Enhancements

• vercel: Add support for skew protection (#​3850)
• bun: Support NITRO_BUN_IDLE_TIMEOUT env variable (#​3294)

🔥 Performance

• Process static assets in parallel (#​3910)
• Limit concurrency for compressing public assets (#​3384)

🩹 Fixes

• firebase: Update gen 1 import to match latest sdk (28406449)
• Correct crypto polyfill (5caca6c0)
• vercel: Handle ISR requests with passQuery: true (#​3539)
• dev: Automatically use Content-Encoding: gzip for .gz static files (#​3381)
• static: Add vary: accept-encoding for assets with compressed version (#​3443)
• dev: Respect opts.json when false for error handler (#​3920)
• dev: Apply headers from route rules for static assets (c74d7a17, f059e4ba, be316b49)
• vercel: Avoid adding o11y links for prerendered paths (#​3927)
• cloudflare-durable: Expose env bindings in durable handler (#​3931)

💅 Refactors

q

• Update firebase-functions type import (d27fbe86)

📖 Documentation

• Add versions select (#​3855)
• Fix compatibilityDate value (#​3570)

📦 Dependencies

• Update esbuild to 0.27 (a0176dfa)
• Update unwasm to 0.5 (85b057b8)
• Update @vercel/nft to v1 (5aeb9f89)
• Update @rollup/plugin-commonjs to v29 (58d2ff13)
• Update @rollup/plugin-alias to v6 (3f493325)
• Update globby to v16 (7b8da4c0)

🤖 CI

• Avoid bumping h3 to nightly (0b5a9c37)
• Correct ref check for nightly (de8d24c4)

❤️ Contributors

• Pooya Parsa (@​pi0)
• Ori (@​oritwoen)
• Dmitry Istomin (@​tirojal)
• Typed SIGTERM (@​typed-sigterm)
• Daniel Roe (@​danielroe)
• Oyama Michinoku (@​yamanoku)
• WIP (@​paulcrussell)
• Kricsleo (@​kricsleo)
• Jamaluddin Rumi (@​jamaluddinrumi)
• Sébastien Chopin (@​Atinux)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • "after 1am and before 2am"

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cubic-dev-ai]

No issues found across 1 file