A high-severity security flaw has been disclosed in ProjectDiscovery’s Nuclei, a widely-used open-source vulnerability scanner that, if successfully exploited, could allow attackers to bypass signature checks and potentially execute malicious code.
Tracked as CVE-2024-43405, it carries a CVSS score of 7.4 out of a maximum of 10.0. It impacts all versions of Nuclei later than 3.0.0.
“The vulnerability stems from a discrepancy between how the signature verification process and the YAML parser handle newline characters, combined with the way multiple signatures are processed,” according to a description of the vulnerability.
“This allows an attacker to inject malicious content into a template while maintaining a valid signature for the benign part of the template.”
Nuclei is a vulnerability scanner designed to probe modern applications, infrastructure, cloud platforms, and networks to identify security flaws. The scanning engine makes use of templates, which are nothing but YAML files, to send specific requests in order to determine the presence of a flaw.
Furthermore, it can enable the execution of external code on the host operating system using the code protocol, thereby giving researchers more flexibility over security testing workflows.
Cloud security firm Wiz, which discovered CVE-2024-43405, said the vulnerability is rooted in the template signature verification process, which is used to ensure the integrity of the templates made available in the official templates repository.
Successful exploitation of the vulnerability is a bypass of this crucial verification step, allowing attackers to craft malicious templates that can execute arbitrary code and access sensitive data from the host.
“Since this signature verification is currently the only method available for validating Nuclei templates, it represents a potential single point of failure,” Wiz researcher Guy Goldenberg said in a Friday analysis.
At its core, the problem stems from the use of regular expressions (aka regex) for signature validation and the parsing conflict arising as a result of using both regex and YAML parser, thus opening the door to a scenario where an attacker can introduce a “r” character such that it sidesteps the regex-based signature verification and gets interpreted as a line break by the YAML parser.
Put differently, these parsing inconsistencies could be chained to create a Nuclei template that uses “r” to include a second “# digest:” line that evades the signature verification process but gets parsed and executed by the YAML interpreter.
“Go’s regex-based signature verification treats \r as part of the same line, while the YAML parser interprets it as a line break. This mismatch allows attackers to inject content that bypasses verification but is executed by the YAML parser,” Goldenberg explained.
“The verification logic validates only the first # digest: line. Additional # digest: lines are ignored during verification but remain in the content to be parsed and executed by YAML.”
Furthermore, the verification process includes a step to exclude the signature line from the template content, but does so in a manner that only the first line is validated, thus leaving the subsequent lines unverified but executable.
Following responsible disclosure, it was addressed by ProjectDiscovery on September 4, 2024, with version 3.3.2. The current version of Nuclei is 3.3.7.
“Attackers could craft malicious templates containing manipulated # digest lines or carefully placed r line breaks to bypass Nuclei’s signature verification,” Goldenberg said.
“An attack vector for this vulnerability arises when organizations run untrusted or community-contributed templates without proper validation or isolation. An attacker could exploit this functionality to inject malicious templates, leading to arbitrary command execution, data exfiltration, or system compromise.”
