Nixpkgs security tracker

Untriaged

Permalink CVE-2026-44372

5.3 MEDIUM

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): None (N)
User Interaction (UI): Passive (P)
Vulnerable System Impact Confidentiality (VC): None (N)
Vulnerable System Impact Integrity (VI): None (N)
Vulnerable System Impact Availability (VA): None (N)
Subsequent System Impact Confidentiality (SC): Low (L)
Subsequent System Impact Integrity (SI): Low (L)
Subsequent System Impact Availability (SA): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Passive (P)
Modified Vulnerable System Impact Confidentiality (MVC): None (N)
Modified Vulnerable System Impact Integrity (MVI): None (N)
Modified Vulnerable System Impact Availability (MVA): None (N)
Modified Subsequent System Impact Confidentiality (MSC): Low (L)
Modified Subsequent System Impact Integrity (MSI): Low (L)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)
Exploit Maturity (E): Not Defined (X)

created 1 day, 20 hours ago Activity log

Created suggestion 1 day, 20 hours ago

Nitro: Open Redirect via Protocol-Relative URL Bypass in Wildcard Route Rules

Nitro is a next generation server toolkit. Prior to 3.0.260429-beta, an attacker could turn a redirect route rule using wildcards rewrite into a cross-host redirect by sliding an extra slash in after the rule prefix. This vulnerability is fixed in 3.0.260429-beta.

References

https://github.com/nitrojs/nitro/security/advisories/GHSA-9phm-9p8f-hw5m x_refsource_CONFIRM
https://github.com/nitrojs/nitro/pull/4236 x_refsource_MISC
https://github.com/nitrojs/nitro/releases/tag/v2.13.4 x_refsource_MISC
https://github.com/nitrojs/nitro/releases/tag/v3.0.260429-beta x_refsource_MISC

Affected products

nitro

==< 3.0.260429-beta

nitropack

==< 2.13.4

Matching in nixpkgs

pkgs.nitrocli

Command line tool for interacting with Nitrokey devices

nixos-unstable 0.4.1
- nixpkgs-unstable 0.4.1
- nixos-unstable-small 0.4.1
nixos-25.11 0.4.1
- nixos-25.11-small 0.4.1
- nixpkgs-25.11-darwin 0.4.1

pkgs.nitrogen

Wallpaper browser and setter for X11

nixos-unstable 1.6.1
- nixpkgs-unstable 1.6.1
- nixos-unstable-small 1.6.1
nixos-25.11 1.6.1
- nixos-25.11-small 1.6.1
- nixpkgs-25.11-darwin 1.6.1

pkgs.pynitrokey

Python client for Nitrokey devices

nixos-unstable 0.11.4
- nixpkgs-unstable 0.11.4
- nixos-unstable-small 0.11.4
nixos-25.11 0.11.2
- nixos-25.11-small 0.11.2
- nixpkgs-25.11-darwin 0.11.2

pkgs.libnitrokey

Communicate with Nitrokey devices in a clean and easy manner

nixos-unstable 3.8
- nixpkgs-unstable 3.8
- nixos-unstable-small 3.8
nixos-25.11 3.8
- nixos-25.11-small 3.8
- nixpkgs-25.11-darwin 3.8

pkgs.nitrokey-app

Provides extra functionality for the Nitrokey Pro and Storage

nixos-unstable 1.4.2
- nixpkgs-unstable 1.4.2
- nixos-unstable-small 1.4.2
nixos-25.11 1.4.2
- nixos-25.11-small 1.4.2
- nixpkgs-25.11-darwin 1.4.2

pkgs.nitrokey-app2

This application allows to manage Nitrokey 3 devices

nixos-unstable app2-2.5.2
- nixpkgs-unstable app2-2.5.2
- nixos-unstable-small app2-2.5.2
nixos-25.11 app2-2.4.3
- nixos-25.11-small app2-2.4.3
- nixpkgs-25.11-darwin app2-2.4.3