CVE-2023-49799

`nuxt-api-party` is an open source module to proxy API requests. nuxt-api-party attempts to check if the user has passed an absolute URL to prevent the aforementioned attack. This has been recently changed to use the regular expression `^https?://`, however this regular expression can be bypassed by an absolute URL with leading whitespace. For example `\nhttps://whatever.com` which has a leading newline. According to the fetch specification, before a fetch is made the URL is normalized. "To normalize a byte sequence potentialValue, remove any leading and trailing HTTP whitespace bytes from potentialValue.". This means the final request will be normalized to `https://whatever.com` bypassing the check and nuxt-api-party will send a request outside of the whitelist. This could allow us to leak credentials or perform Server-Side Request Forgery (SSRF). This vulnerability has been addressed in version 0.22.1. Users are advised to upgrade. Users unable to upgrade should revert to the previous method of detecting absolute URLs.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://fetch.spec.whatwg.org/	Not Applicable
https://fetch.spec.whatwg.org/#http-whitespace-byte	Not Applicable
https://github.com/johannschopplich/nuxt-api-party/blob/777462e1e3af1d9f8938aa33f230cd8cb6e0cc9a/src/runtime/server/handler.ts#L31	Issue Tracking
https://github.com/johannschopplich/nuxt-api-party/security/advisories/GHSA-3wfp-253j-5jxv	Exploit Mitigation Vendor Advisory
https://infra.spec.whatwg.org/#byte-sequence	Not Applicable

Configurations

Configuration 1 (hide)

cpe:2.3:a:johannschopplich:nuxt_api_party:*:*:*:*:*:node.js:*:*

History

13 Dec 2023, 17:25

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-12-09 00:15

Updated : 2024-02-28 20:54

NVD link : CVE-2023-49799

Mitre link : CVE-2023-49799

CVE.ORG link : CVE-2023-49799

JSON object : View

Products Affected

johannschopplich

nuxt_api_party

CWE

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2023-49799", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2023-12-09T00:15:07.393", "references": [{"url": "https://fetch.spec.whatwg.org/", "tags": ["Not Applicable"], "source": "security-advisories@github.com"}, {"url": "https://fetch.spec.whatwg.org/#http-whitespace-byte", "tags": ["Not Applicable"], "source": "security-advisories@github.com"}, {"url": "https://github.com/johannschopplich/nuxt-api-party/blob/777462e1e3af1d9f8938aa33f230cd8cb6e0cc9a/src/runtime/server/handler.ts#L31", "tags": ["Issue Tracking"], "source": "security-advisories@github.com"}, {"url": "https://github.com/johannschopplich/nuxt-api-party/security/advisories/GHSA-3wfp-253j-5jxv", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://infra.spec.whatwg.org/#byte-sequence", "tags": ["Not Applicable"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "`nuxt-api-party` is an open source module to proxy API requests. nuxt-api-party attempts to check if the user has passed an absolute URL to prevent the aforementioned attack. This has been recently changed to use the regular expression `^https?://`, however this regular expression can be bypassed by an absolute URL with leading whitespace. For example `\\nhttps://whatever.com` which has a leading newline. According to the fetch specification, before a fetch is made the URL is normalized. \"To normalize a byte sequence potentialValue, remove any leading and trailing HTTP whitespace bytes from potentialValue.\". This means the final request will be normalized to `https://whatever.com` bypassing the check and nuxt-api-party will send a request outside of the whitelist. This could allow us to leak credentials or perform Server-Side Request Forgery (SSRF). This vulnerability has been addressed in version 0.22.1. Users are advised to upgrade. Users unable to upgrade should revert to the previous method of detecting absolute URLs."}, {"lang": "es", "value": "`nuxt-api-party` es un m\u00f3dulo de c\u00f3digo abierto para enviar solicitudes de API. nuxt-api-party intenta comprobar si el usuario ha pasado una URL absoluta para evitar el ataque antes mencionado. Esto se cambi\u00f3 recientemente para usar la expresi\u00f3n regular `^https?://`; sin embargo, esta expresi\u00f3n regular se puede omitir mediante una URL absoluta con espacios en blanco al principio. Por ejemplo `\\nhttps://whatever.com` que tiene una nueva l\u00ednea inicial. Seg\u00fan la especificaci\u00f3n de recuperaci\u00f3n, antes de realizar una recuperaci\u00f3n, la URL se normaliza. \"Para normalizar una secuencia de bytes de valor potencial, elimine los bytes de espacio en blanco HTTP iniciales y finales de valor potencial\". Esto significa que la solicitud final se normalizar\u00e1 en `https://whatever.com` sin pasar por la verificaci\u00f3n y nuxt-api-party enviar\u00e1 una solicitud fuera de la lista blanca. Esto podr\u00eda permitirnos filtrar credenciales o realizar Server-Side Request Forgery (SSRF). Esta vulnerabilidad se ha solucionado en la versi\u00f3n 0.22.1. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar deben volver al m\u00e9todo anterior para detectar URL absolutas."}], "lastModified": "2023-12-13T17:25:57.097", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:johannschopplich:nuxt_api_party:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "3FF05127-C972-40EC-A3E2-6733D255DAA2", "versionEndIncluding": "0.21.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}