Nuclei Vulnerability Allows Signature Bypass and Code Execution
2025-01-07
Learn about the risks of using untrusted templates in vulnerability scanners and how Check Point's solutions can help secure against signature bypass and code execution vulnerabilities.
A high-severity vulnerability has been identified in ProjectDiscovery's Nuclei, an open-source vulnerability scanner, that could allow attackers to bypass signature checks and execute malicious code. This flaw affects all versions after 3.0.0 and is due to a discrepancy in how newline characters are handled between the signature verification process and the YAML parser. Attackers can inject malicious content into templates while maintaining valid signatures, bypassing crucial verification steps. This is exacerbated by the use of regular expressions for signature validation, allowing attackers to exploit untrusted templates, potentially leading to arbitrary command execution and data breaches.
Open Source, Web App/Website Vulnerability, Supply Chain
Nuclei, CVE-2024-43405, Vulnerability Scanner, Signature Bypass, Code Execution, YAML Parsing
Nuclei
A significant security vulnerability has been discovered in ProjectDiscovery's Nuclei, an open-source vulnerability scanner widely used to identify security flaws in applications, infrastructure, cloud platforms, and networks. This vulnerability, identified as CVE-2024-43405, poses a severe risk as it could allow attackers to bypass signature checks and execute malicious code. The flaw affects all Nuclei versions after 3.0.0 and has been given a CVSS score of 7.4, indicating high severity. The issue originates from a discrepancy in how newline characters are handled by the signature verification process and the YAML parser. This discrepancy can be exploited by attackers to inject malicious content into templates while maintaining a valid signature for the benign part of the template. Nuclei uses YAML files to send specific requests and identify vulnerabilities. The scanner's template signature verification process is designed to ensure the integrity of templates in the official repository. However, this process is compromised due to the use of regular expressions (regex) for signature validation, which clashes with the YAML parser. Attackers can introduce a "\r" character that bypasses regex-based verification and is interpreted as a line break by the YAML parser. This allows the creation of a template with a second "# digest:" line that evades the signature check but is executed by the YAML interpreter. This vulnerability is particularly dangerous when organizations use untrusted or community-contributed templates without proper validation or isolation. Attackers can exploit this to inject malicious templates, leading to arbitrary command execution, data exfiltration, or system compromise. Organizations are advised to carefully validate and isolate templates, especially those from untrusted sources. Keeping software up to date and applying patches as they become available is crucial in mitigating such vulnerabilities.Nuclei Vulnerability: Signature Bypass and Code Execution Risk
Vulnerability Details
Technical Explanation
Attack Vector
Mitigation
https://thehackernews.com/2025/01/researchers-uncover-nuclei.html?m=1