Cyberrisk

Open source vulnerability scanner found with a serious vulnerability in its own code

Teilen:

The flaw could allow attackers to bypass Nuclei’s template signature verification process to inject malicious codes into host systems.

A widely popular open-source tool, Nuclei, used for scanning vulnerabilities and weaknesses in websites, cloud applications, and networks is found to have a high-severity flaw that could potentially allow attackers to execute malicious codes on local systems.

The flaw tracked as CVE-2024-43405 is assigned a CVSS score of 7.4 out of 10 and is said to impact all versions of Nuclei later than 3.0.0.

Attackers could use maliciously crafted templates with arbitrary codes that can allow access to sensitive host data, according to the researchers at Cloud security firm Wiz, which was credited with the discovery of CVE-2024-43405. The bypass POC has been published with the description for users.

According to a description by ProjectDiscovery, the developer and maintainer of Nuclei, the flaw is present in the template signature verification process, specifically in the “signer” package.

“A vulnerability has been identified in Nuclei’s template signature verification system that could allow an attacker to bypass the signature check and possibly execute malicious code via custom code template,” ProjectDiscovery said in the description.

The flaw has received a patch in the Nuclei v3.3.2 rollout.

Spoofing Nuclei’s template verification

Nuclei has over 21,000 stars on GitHub and over 2.1 million downloads. The tool uses “templates,” in the form of YAML files, that define specific checks or tests for the vulnerability scanning process. Ensuring the authenticity of these templates is crucial to avoid tampered or malicious templates that are misleading or compromising the scanning process.

Nuclei has a Go regex-based signature verification process in place to ensure authenticity. The flaw stems from a discrepancy between how the signature verification process and the YAML parser handle newline characters, ProjectDiscovery explained. While Go’s verification logic considers “\r” part of the same line, the YAML parser treats it as a line break, thereby leaving room for attackers to insert malicious codes.

This, combined with the fact that Nuclei has flawed processing of multiple signature lines “digest:,” can potentially lead to an attacker injecting malicious content into a template while keeping the signature valid for the harmless portion of the template.

Both CLI and SDK users are affected

According to ProjectDiscovery, both CLI and SDK users of Nuclei are impacted and need to apply patches. CLI users include those executing custom code templates from unverified sources like third parties and unverified repositories.

SDK users are affected when developers integrating Nuclei into their platforms permit the execution of custom code templates by end-users.

Apart from upgrading to the fixed version that has been available since September 4, 2024, an interim measure could include refraining from using custom templates, ProjectDiscovery advised.

Quelle

Kommentar verfassen

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

lade-bild
London, GB
3:41 am, Juli 11, 2025
Wetter-Symbol 18°C
L: 17° | H: 19°
aufgelockerte Bewölkung
Luftfeuchtigkeit: 79 %
Druck: 1021 mb
Wind: 6 mph E
Windböe: 0 mph
UV-Index: 0
Niederschlag: 0 mm
Wolken: 45%
Regen Chance: 0%
Sichtbarkeit: 10 km
Sonnenaufgang: 4:56 am
Sonnenuntergang: 9:15 pm
TäglichStündlich
Tägliche VorhersageStündliche Vorhersage
Today 10:00 pm
Wetter-Symbol
17° | 19°°C 0 mm 0% 8 mph 79 % 1021 mb 0 mm/h
Tomorrow 10:00 pm
Wetter-Symbol
19° | 30°°C 0 mm 0% 10 mph 66 % 1019 mb 0 mm/h
So. Juli 13 10:00 pm
Wetter-Symbol
18° | 30°°C 0 mm 0% 7 mph 71 % 1015 mb 0 mm/h
Mo. Juli 14 10:00 pm
Wetter-Symbol
18° | 28°°C 1 mm 100% 15 mph 84 % 1016 mb 0 mm/h
Di. Juli 15 10:00 pm
Wetter-Symbol
14° | 20°°C 1 mm 100% 14 mph 81 % 1017 mb 0 mm/h
Today 4:00 am
Wetter-Symbol
16° | 18°°C 0 mm 0% 3 mph 79 % 1021 mb 0 mm/h
Today 7:00 am
Wetter-Symbol
18° | 19°°C 0 mm 0% 2 mph 75 % 1021 mb 0 mm/h
Today 10:00 am
Wetter-Symbol
24° | 27°°C 0 mm 0% 2 mph 57 % 1021 mb 0 mm/h
Today 1:00 pm
Wetter-Symbol
30° | 30°°C 0 mm 0% 3 mph 32 % 1020 mb 0 mm/h
Today 4:00 pm
Wetter-Symbol
32° | 32°°C 0 mm 0% 4 mph 26 % 1018 mb 0 mm/h
Today 7:00 pm
Wetter-Symbol
30° | 30°°C 0 mm 0% 6 mph 29 % 1017 mb 0 mm/h
Today 10:00 pm
Wetter-Symbol
23° | 23°°C 0 mm 0% 8 mph 49 % 1019 mb 0 mm/h
Tomorrow 1:00 am
Wetter-Symbol
21° | 21°°C 0 mm 0% 5 mph 57 % 1019 mb 0 mm/h
Name Preis24H (%)
Bitcoin(BTC)
€99,327.38
4.37%
Ethereum(ETH)
€2,527.66
6.25%
Fesseln(USDT)
€0.85
-0.01%
XRP(XRP)
€2.20
6.11%
Solana(SOL)
€140.86
3.84%
USDC(USDC)
€0.85
-0.01%
Dogecoin(DOGE)
€0.169109
9.34%
Shiba Inu(SHIB)
€0.000012
8.97%
Pepe(PEPE)
€0.000011
13.66%
Peanut das Eichhörnchen(PNUT)
€0.245548
22.13%
Nach oben scrollen