A critical security vulnerability has been revealed in ProjectDiscovery’s Nuclei, a popular open-source vulnerability scanner. If exploited successfully, attackers could bypass signature checks and potentially execute malicious code.
Identified as CVE-2024-43405 with a CVSS score of 7.4 out of 10, the flaw affects all Nuclei versions after 3.0.0.
“The vulnerability arises from a discrepancy in how the signature verification process and YAML parser handle newline characters, combined with how multiple signatures are processed,” explained in a vulnerability description.
“This allows an attacker to inject malicious content into a template while maintaining a valid signature for the benign part of the template.”
Nuclei serves as a vulnerability scanner for modern applications, cloud platforms, and networks, using YAML-based templates to send specific requests and identify security flaws. It also supports the execution of external code through the code protocol.
Discovered by cloud security firm Wiz, CVE-2024-43405 exploits the template signature verification process, allowing attackers to create malicious templates that could execute arbitrary code and access sensitive data on the host system.
“This signature verification is the only method for validating Nuclei templates, making it a potential single point of failure,” noted Wiz researcher Guy Goldenberg in an analysis.
The vulnerability stems from the use of regular expressions for signature validation and parsing conflicts between regex and YAML parser. This allows attackers to introduce a “\r” character to evade signature verification and execute code through the YAML interpreter.
Following responsible disclosure, ProjectDiscovery released version 3.3.2 on September 4, 2024, addressing the issue. The latest version is 3.3.7.
“Attackers could manipulate # digest lines in malicious templates to bypass Nuclei’s signature verification,” Goldenberg warned. “Running untrusted or community-contributed templates without proper validation could lead to arbitrary code execution or system compromise.”
