Nuclei Discloses Critical Vulnerability in Security Tool

Nuclei, the open-source vulnerability scanner, has addressed a critical vulnerability in its ProjectDiscovery tool, which has seen over 2.1 million downloads. The flaw, uncovered by security firm Wiz, allows attackers to evade signature verification checks and execute harmful code through custom templates.

Guy Goldenberg, a software engineer at Wiz, explained that the vulnerability, assigned the identifier CVE-2024-43405, could have significant consequences across the industry due to Nuclei’s widespread use. The flaw exists because of a discrepancy in how the signature verification regular expression (regex) and the YAML data serialization parser interpret newline characters. While the regex parser acknowledges lines beginning with # digest:, the YAML parser dismisses it as a comment, leading to a critical mismatch.

To exploit this vulnerability, researchers managed to leverage the differences between these features, using /r to represent a line in regex, while simultaneously functioning as a line break in the YAML parser. This combination enables an attacker to inject unchecked, executable content into Nuclei templates, thereby creating pathways for significant security breaches.

Organizations utilizing untrusted or community-sourced templates or those conducting automated scans without proper verification measures are particularly vulnerable to exploitation. Malicious actors could exploit this flaw to insert harmful templates aimed at data exfiltration or system compromise.

Nuclei addressed this significant flaw in August 2024 following Wiz’s notification. Additionally, Wiz advises users to operate their projects in sandboxed or highly isolated environments to mitigate potential risks.

This situation underscores a broader trend of increasing threats associated with open-source vulnerabilities, particularly from state-sponsored hackers. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings regarding this escalating threat landscape. A report by Sonatype in 2024 revealed that over 500,000 out of 7 million analyzed open-source projects were found to include malicious packages, prompting CISA to initiate the development of a new framework to enhance open-source security.