Nixpkgs security tracker
5.3 MEDIUM
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): Low (L)
- Integrity (I): None (N)
- Availability (A): None (N)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): Low (L)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): None (N)
- Modified Availability (MA): None (N)
Activity log
- Created suggestion
Nitro: Proxy scope bypass via percent-encoded path traversal in `routeRules`
Nitro is a next generation server toolkit. Prior to 3.0.260429-beta, an attacker could bypass a proxy route rule by sending percent-encoded path traversal (..%2f) in the URL, causing Nitro to forward a request that the upstream resolved outside the configured scope. This vulnerability is fixed in 3.0.260429-beta.
References
-
https://github.com/nitrojs/nitro/security/advisories/GHSA-5w89-w975-hf9q x_refsource_CONFIRM
-
https://github.com/nitrojs/nitro/pull/4222 x_refsource_MISC
-
https://github.com/nitrojs/nitro/pull/4223 x_refsource_MISC
-
https://github.com/nitrojs/nitro/releases/tag/v2.13.4 x_refsource_MISC
-
https://github.com/nitrojs/nitro/releases/tag/v3.0.260429-beta x_refsource_MISC
Affected products
- ==< 3.0.260429-beta
- ==< 2.13.4
Matching in nixpkgs
pkgs.nitrocli
Command line tool for interacting with Nitrokey devices
pkgs.nitrogen
Wallpaper browser and setter for X11
pkgs.pynitrokey
Python client for Nitrokey devices
pkgs.libnitrokey
Communicate with Nitrokey devices in a clean and easy manner
pkgs.nitrokey-app
Provides extra functionality for the Nitrokey Pro and Storage
pkgs.nitrokey-app2
This application allows to manage Nitrokey 3 devices
-
nixos-unstable app2-2.5.2
- nixpkgs-unstable app2-2.5.2
- nixos-unstable-small app2-2.5.2
-
nixos-25.11 app2-2.4.3
- nixos-25.11-small app2-2.4.3
- nixpkgs-25.11-darwin app2-2.4.3
pkgs.nitrotpm-tools
Collection of utilities for working with NitroTPM attestation
pkgs.nitrokey-udev-rules
udev rules for Nitrokey devices
pkgs.nitrokey-pro-firmware
Firmware for the Nitrokey Pro device
pkgs.nitrokey-fido2-firmware
Firmware for the Nitrokey FIDO2 device
-
nixos-25.11 fido2-firmware-2.4.1
- nixos-25.11-small fido2-firmware-2.4.1
- nixpkgs-25.11-darwin fido2-firmware-2.4.1
pkgs.nitrokey-start-firmware
Firmware for the Nitrokey Start device
pkgs.haskellPackages.n2o-nitro
Nitro Elements, Events and Actions
pkgs.nitrokey-storage-firmware
Firmware for the Nitrokey Storage device
pkgs.python312Packages.nitrokey
Python SDK for Nitrokey devices
pkgs.python313Packages.nitrokey
Python SDK for Nitrokey devices
pkgs.python314Packages.nitrokey
Python SDK for Nitrokey devices
pkgs.nitrokey-trng-rs232-firmware
Firmware for the Nitrokey TRNG RS232 device
-
nixos-unstable rs232-firmware-1.0.0
- nixpkgs-unstable rs232-firmware-1.0.0
- nixos-unstable-small rs232-firmware-1.0.0
-
nixos-25.11 rs232-firmware-1.0.0
- nixos-25.11-small rs232-firmware-1.0.0
- nixpkgs-25.11-darwin rs232-firmware-1.0.0
pkgs.python312Packages.pynitrokey
Python client for Nitrokey devices
pkgs.python313Packages.pynitrokey
Python client for Nitrokey devices
pkgs.python314Packages.pynitrokey
Python client for Nitrokey devices
Package maintainers
-
@RaitoBezarius Ryan Lahfa <ryan@lahfa.xyz>
-
@panicgh Nicolas Benes <nbenes.gh@xandea.de>
-
@robinkrahl Robin Krahl <nix@ireas.org>
-
@auntieNeo Jonathan Glines <auntieNeo@gmail.com>
-
@KaiHa Kai Harries <kai.harries@gmail.com>
-
@999eagle Sophie Tauchert <github@999eagle.moe>
-
@amerinor01 Alberto Merino <amerinor01@gmail.com>
-
@kiike Enric Morales <me@enric.me>
-
@imadnyc Abdullah Imad <me@imad.nyc>
-
@frogamic Dominic Shelton <frogamic@protonmail.com>
-
@mariusknaust Marius Knaust <marius.knaust@gmail.com>
-
@arianvp Arian van Putten <arian.vanputten@gmail.com>