Update Your nuxt-api-party Module to Patch SSRF Vulnerability

CVECVE-2023-49799
CVSScvssV3_1: 7.5
SourceCVE-2023-49799

nuxt-api-party is a popular open source module used for proxying API requests in Nuxt applications. A recent security issue was discovered that could allow attackers to perform Server-Side Request Forgery (SSRF) attacks against applications using older versions of nuxt-api-party.

The module was checking URLs passed to it to ensure they stayed within an allowed whitelist. However, it was found that absolute URLs containing leading whitespace could bypass this check due to URL normalization. This means a request like `\nhttps://example.com` would be normalized to a valid external URL and not caught by the module.

An SSRF attack in this scenario could allow an attacker to access internal services or credentials by tricking the application into making requests on the attacker’s behalf. This poses a serious risk to the confidentiality and integrity of the system.

Luckily, the developers have released version 0.22.1 of nuxt-api-party which fixes how it validates URLs. All users are highly recommended to upgrade immediately. For those unable to upgrade, reverting the URL check method is suggested as a temporary mitigation. Staying on top of security updates helps keep your Nuxt app and data safe from exploits.

References