21 matches found
CVE-2023-49799
nuxt-api-party is an open source module to proxy API requests. nuxt-api-party attempts to check if the user has passed an absolute URL to prevent the aforementioned attack. This has been recently changed to use the regular expression ^https?://, however this regular expression can be bypassed by ...
CVE-2023-49800
nuxt-api-party is an open source module to proxy API requests. The library allows the user to send many options directly to ofetch. There is no filter on which options are available. We can abuse the retry logic to cause the server to crash from a stack overflow. fetchOptions are obtained directl...
EUVD-2023-3089
Malicious code in bioql PyPI...
Server Side Request Forgery
nuxt-api-party is vulnerable to Cross-Site Request Forgery. The vulnerability exists due to a faulty regurlar expression which does not take white spaces into account validation within server.ts, allowing an attacker to execute requests bypasssing the whitelist, leading to unauthorized access...
SSRF & Credentials Leak
Summary nuxt-api-party allows developers to proxy requests to an API without exposing credentials to the client. A previous vulnerability allowed an attacker to change the baseURL of the request, potentially leading to credentials being leaked or SSRF. This vulnerability is similar, and was cause...
DOS by abusing `fetchOptions.retry`.
Summary nuxt-api-party allows developers to proxy requests to an API without exposing credentials to the client. ofetch is used to send the requests. The library allows the user to send many options directly to ofetch. There is no filter on which options are available. We can abuse the retry logi...
GHSA-Q6HX-3M4P-749H DOS by abusing `fetchOptions.retry`.
Summary nuxt-api-party allows developers to proxy requests to an API without exposing credentials to the client. ofetch is used to send the requests. The library allows the user to send many options directly to ofetch. There is no filter on which options are available. We can abuse the retry logi...
CVE-2023-49799
nuxt-api-party is an open source module to proxy API requests. nuxt-api-party attempts to check if the user has passed an absolute URL to prevent the aforementioned attack. This has been recently changed to use the regular expression ^https?://, however this regular expression can be bypassed by ...
Stack overflow
nuxt-api-party is an open source module to proxy API requests. The library allows the user to send many options directly to ofetch. There is no filter on which options are available. We can abuse the retry logic to cause the server to crash from a stack overflow. fetchOptions are obtained directl...
Server side request forgery (ssrf)
nuxt-api-party is an open source module to proxy API requests. nuxt-api-party attempts to check if the user has passed an absolute URL to prevent the aforementioned attack. This has been recently changed to use the regular expression ^https?://, however this regular expression can be bypassed by ...
nuxt-api-party Code Issue Vulnerability
nuxt-api-party is an open source module by Johann Schopplich, an individual developer, for proxying API requests. A code issue vulnerability exists in nuxt-api-party version 0.21.3, which stems from lax URL detection, where absolute URLs with leading spaces can bypass this regular expression,...
CVE-2023-49799 Server-Side Request Forgery in nuxt-api-party
nuxt-api-party is an open source module to proxy API requests. nuxt-api-party attempts to check if the user has passed an absolute URL to prevent the aforementioned attack. This has been recently changed to use the regular expression ^https?://, however this regular expression can be bypassed by ...
CVE-2023-49799 Server-Side Request Forgery in nuxt-api-party
nuxt-api-party is an open source module to proxy API requests. nuxt-api-party attempts to check if the user has passed an absolute URL to prevent the aforementioned attack. This has been recently changed to use the regular expression ^https?://, however this regular expression can be bypassed by ...
CVE-2023-49799 Server-Side Request Forgery in nuxt-api-party
nuxt-api-party is an open source module to proxy API requests. nuxt-api-party attempts to check if the user has passed an absolute URL to prevent the aforementioned attack. This has been recently changed to use the regular expression ^https?://, however this regular expression can be bypassed by ...
CVE-2023-49799
The CVE-2023-49799 entry concerns the nuxt-api-party module, where a regex-based absolute-URL check (^https?://) can be bypassed by absolute URLs with leading whitespace (e.g., a leading newline). This can allow requests to bypass the whitelist, enabling Server-Side Request Forgery (SSRF) and pot...
CVE-2023-49800 Denial of service by abusing `fetchOptions.retry` in nuxt-api-party
nuxt-api-party is an open source module to proxy API requests. The library allows the user to send many options directly to ofetch. There is no filter on which options are available. We can abuse the retry logic to cause the server to crash from a stack overflow. fetchOptions are obtained directl...
CVE-2023-49800
CVE-2023-49800 affects the nuxt-api-party module. The issue arises from passing unfiltered fetchOptions from the request body into ofetch, allowing an attacker to craft a URL and set excessively high retry values, triggering recursive error handling that leads to a stack overflow and DoS. A fix i...
CVE-2023-49800 Denial of service by abusing `fetchOptions.retry` in nuxt-api-party
nuxt-api-party is an open source module to proxy API requests. The library allows the user to send many options directly to ofetch. There is no filter on which options are available. We can abuse the retry logic to cause the server to crash from a stack overflow. fetchOptions are obtained directl...
CVE-2023-49800
creationtimestamp| type| source ---|---|--- 2023-12-08 23:22:29+00:00| published-proof-of-concept| https://github.com/johannschopplich/nuxt-api-party/security/advisories/GHSA-q6hx-3m4p-749h...
PT-2023-31357 · Unknown · Nuxt-Api-Party
Name of the Vulnerable Software and Affected Versions: nuxt-api-party versions prior to 0.22.1 Description: The issue arises from a recent change in the detection of absolute URLs, which is no longer sufficient to prevent Server-Side Request Forgery SSRF. The regular expression ^https?:// used to...