Update Your Nuxt API Module to Prevent Denial of Service Attacks

CVECVE-2023-49800
CVSScvssV3_1: 7.5
SourceCVE-2023-49800

The popular Nuxt API module nuxt-api-party was vulnerable to denial of service attacks before version 0.22.1. This module allows making API requests in Nuxt applications.

Attackers could abuse the retry logic in the module to cause servers to crash. They would construct a URL that wouldn’t fetch successfully and set a very high number of retry attempts. This would cause the ofetch error handling to recursively call itself, overflowing the stack and crashing the server.

By crashing servers, attackers could launch denial of service attacks and make applications unavailable. This affects any site using nuxt-api-party to make API requests.

Luckily, the developers have addressed this issue in version 0.22.1. All users are advised to upgrade to the latest version as soon as possible to protect themselves.

If upgrading is not possible for any reason, users should limit the number of retry attempts allowed through ofetch options to prevent abuse of the retry logic from crashing servers. Taking these steps will help secure applications from these denial of service attacks.

References