Security researchers at Wiz have uncovered a significant vulnerability in Nuclei, a widely-used open-source security scanning tool, that could allow attackers to bypass signature verification mechanisms and potentially execute malicious code.
The vulnerability, tracked as CVE-2024-43405 with a CVSS score of 7.4, affects all versions of Nuclei after 3.0.0 and has been patched in version 3.3.2.
Nuclei is a powerful open-source vulnerability scanner created by ProjectDiscovery that has gained remarkable traction with over 21,000 GitHub stars and 2.1 million downloads.
The platform's core innovation lies in its YAML template-based architecture, which enables the security community to define and share security checks and attack patterns.
The vulnerability (CVE-2024-43405) stems from an inconsistency between how Nuclei's signature verification process and YAML parser handle newline characters.
Researchers discovered that the tool's regex-based signature verification treats '\r' (carriage return) characters differently from the YAML parser, creating a security gap that attackers could exploit.
"The verification logic validates only the first # digest: line. Additional # digest: lines are ignored during verification but remain in the content to be parsed and executed by YAML," explained Guy Goldenberg from Wiz Research. This discrepancy allows attackers to inject malicious content into templates while maintaining a valid signature for the benign portion.
The potential impact is particularly concerning for organizations that run untrusted or community-contributed templates without proper isolation.
An attacker could exploit this vulnerability to inject malicious templates, potentially leading to unauthorized command execution, data exfiltration, or system compromise.
ProjectDiscovery has fixed the flaw with the release of Nuclei version 3.3.2. The current version of Nuclei is 3.3.7.