SCA: security update for nuxt-api-party (GHSA-3wfp-253j-5jxv)

high Tenable Self-Hosted Container Security Plugin ID 409734

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- `nuxt-api-party` is an open source module to proxy API requests. nuxt-api-party attempts to check if the
user has passed an absolute URL to prevent the aforementioned attack. This has been recently changed to
use the regular expression `^https?://`, however this regular expression can be bypassed by an absolute
URL with leading whitespace. For example `\nhttps://whatever.com` which has a leading newline. According
to the fetch specification, before a fetch is made the URL is normalized. "To normalize a byte sequence
potentialValue, remove any leading and trailing HTTP whitespace bytes from potentialValue.". This means
the final request will be normalized to `https://whatever.com` bypassing the check and nuxt-api-party will
send a request outside of the whitelist. This could allow us to leak credentials or perform Server-Side
Request Forgery (SSRF). This vulnerability has been addressed in version 0.22.1. Users are advised to
upgrade. Users unable to upgrade should revert to the previous method of detecting absolute URLs.
(CVE-2023-49799)

See Also

https://github.com/advisories/GHSA-3wfp-253j-5jxv

Plugin Details

Severity: High

ID: 409734

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.51

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2023-49799

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 12/12/2023

Vulnerability Publication Date: 12/8/2023

Reference Information

CVE: CVE-2023-49799

cwe: CWE-918