Server-Side Request Forgery (SSRF) Affecting nuxt-api-party package, versions <0.22.1
Threat Intelligence
EPSS
0.08% (33rd
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-NUXTAPIPARTY-6115181
- published 11 Dec 2023
- disclosed 9 Dec 2023
- credit OhB00
Introduced: 9 Dec 2023
CVE-2023-49799 Open this link in a new tabHow to fix?
Upgrade nuxt-api-party
to version 0.22.1 or higher.
Overview
nuxt-api-party is a Nuxt 3 module to securely connect with any API
Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF) during the regular expression check for absolute URLs. An attacker can bypass the check and cause the application to send a request to an arbitrary URL by providing an absolute URL with leading whitespace, such as a newline character. This could lead to a credentials leak.
Workaround
Revert to the previous method of detecting absolute URLs.
if (new URL(path, 'http://localhost').origin !== 'http://localhost') {
// ...
}
CVSS Scores
version 3.1