CVE-2023-49799: Server-Side Request Forgery in nuxt-api-party

First published: Fri Dec 08 2023(Updated: )

### Summary `nuxt-api-party` allows developers to proxy requests to an API without exposing credentials to the client. [A previous vulnerability](https://huntr.dev/bounties/4c57a3f6-0d0e-4431-9494-4a1e7b062fbf/) allowed an attacker to change the baseURL of the request, potentially leading to credentials being leaked or SSRF. This vulnerability is similar, and was caused by a recent change to the detection of absolute URLs, which is no longer sufficient to prevent SSRF. ### Details `nuxt-api-party` attempts to check if the user has passed an absolute URL to prevent the aforementioned attack. This has been recently changed to [use a regular expression](https://github.com/johannschopplich/nuxt-api-party/blob/777462e1e3af1d9f8938aa33f230cd8cb6e0cc9a/src/runtime/server/handler.ts#L31) `^https?://`. This regular expression can be bypassed by an absolute URL with leading whitespace. For example `\nhttps://whatever.com` has a leading newline. According to the fetch specification, before a fetch is made the URL is normalized. "To normalize a [byte sequence](https://infra.spec.whatwg.org/#byte-sequence) potentialValue, remove any leading and trailing [HTTP whitespace bytes](https://fetch.spec.whatwg.org/#http-whitespace-byte) from potentialValue." ([source](https://fetch.spec.whatwg.org/)) This means the final request will be normalized to `https://whatever.com`. We have bypassed the check and `nuxt-api-party` will send a request outside of the whitelist. This could allow us to leak credentials or perform SSRF. ### PoC POC using Node. ```js await fetch("/api/__api_party/MyEndpoint", { method: "POST", body: JSON.stringify({ path: "\nhttps://google.com" }), headers: { "Content-Type": "application/json" } }) ``` We can use `__proto__` as a substitute for the endpoint if it is not known. This will not leak any credentials as all attributes on `endpoint` will be undefined. ```js await fetch("/api/__api_party/__proto__", { method: "POST", body: JSON.stringify({ path: "\nhttps://google.com" }), headers: { "Content-Type": "application/json" } }) ``` ### Impact Leak of sensitive API credentials. SSRF. ### Fix Revert to the previous method of detecting absolute URLs. ```js if (new URL(path, 'http://localhost').origin !== 'http://localhost') { // ... } ```

Credit: security-advisories@github.com security-advisories@github.com

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/github-advisory-latest
• alias/GHSA-3wfp-253j-5jxv
• alias/CVE-2023-49799
• collector/nvd-api
• collector/nvd-cve
• collector/github-advisory
• agent/author
• agent/type
• agent/softwarecombine
• agent/first-publish-date
• agent/references
• agent/weakness
• agent/severity
• agent/title
• agent/description
• agent/event
• collector/mitre-cve
• source/MITRE
• agent/last-modified-date
• agent/trending
• agent/tags
• agent/source
• package-manager/npm
• vendor/johannschopplich
• canonical/johannschopplich nuxt api party
• version/johannschopplich nuxt api party/0.21.3