Server-Side Request Forgery (SSRF) Affecting @nuxt/icon package, versions <1.4.5
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.09% (38th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-NUXTICON-7641072
- published 6 Aug 2024
- disclosed 5 Aug 2024
- credit OhB00
Introduced: 5 Aug 2024
CVE-2024-42352 Open this link in a new tabHow to fix?
Upgrade @nuxt/icon
to version 1.4.5 or higher.
Overview
@nuxt/icon is a
Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF) due to improper user input sanitization in the new URL
constructor used in the /api/_nuxt_icon
endpoint. By modifying the scheme and host within the URL, an attacker can manipulate the request URL to redirect requests to an unintended server.
Workaround
This vulnerability can be mitigated by disabling the fallbackToApi
option or ensuring the host has not been changed after the path is parsed.
PoC
/api/_nuxt_icon/http:example.com