CVE-2023-49799 Server-Side Request Forgery in nuxt-api-party

2023-12-0823:45:18

CWE-918

GitHub_M

www.cve.org

server-side request forgery

nuxt-api-party

cve-2023-49799

security vulnerability

api proxy

url validation

normalization

version 0.22.1

upgrade advice

whitelist bypass

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

32.6%

JSON

nuxt-api-party is an open source module to proxy API requests. nuxt-api-party attempts to check if the user has passed an absolute URL to prevent the aforementioned attack. This has been recently changed to use the regular expression ^https?://, however this regular expression can be bypassed by an absolute URL with leading whitespace. For example \nhttps://whatever.com which has a leading newline. According to the fetch specification, before a fetch is made the URL is normalized. “To normalize a byte sequence potentialValue, remove any leading and trailing HTTP whitespace bytes from potentialValue.”. This means the final request will be normalized to https://whatever.com bypassing the check and nuxt-api-party will send a request outside of the whitelist. This could allow us to leak credentials or perform Server-Side Request Forgery (SSRF). This vulnerability has been addressed in version 0.22.1. Users are advised to upgrade. Users unable to upgrade should revert to the previous method of detecting absolute URLs.

CNA Affected

[
  {
    "vendor": "johannschopplich",
    "product": "nuxt-api-party",
    "versions": [
      {
        "version": "< 0.22.1",
        "status": "affected"
      }
    ]
  }
]