A critical security vulnerability has been identified in ProjectDiscovery, a popular open-source vulnerability scanner, which could be exploited by attackers to bypass signature checks and potentially execute malicious code if successfully leveraged.
Tracked as , it boasts a CVSS rating of 7.4 out of a maximum 10.0. This upgrade affects all subsequent versions of nuclei with a version number greater than 3.0.0.
The issue arises from a mismatch between the handling of newline characters by both the signature verification process and the YAML parser, coupled with the manner in which certain signatures are processed, as outlined in the vulnerability report.
This allows attackers to seamlessly integrate malicious code into a template while preserving its original digital fingerprint.
Nucleus is a cutting-edge vulnerability scanner that meticulously probes modern functions, infrastructure, cloud platforms, and networks to detect potential security vulnerabilities and safeguard against threats. The scanning engine leverages YAML data, which essentially represents key-value pairs, to infer the likelihood of a fault’s existence.
However, this could potentially enable the execution of external code on the host operating system through, thereby providing researchers with additional flexibility in managing security testing workflows and potentially increasing the complexity and risk involved.
The Cloud Safety Agency Wiz, which identified CVE-2024-43405, determined that the vulnerability originates from an issue within the template signature verification process, a mechanism designed to ensure the integrity of templates distributed via .
The successful exploitation of the vulnerability allows attackers to circumvent critical validation checks, thereby enabling the creation of malicious templates that can execute arbitrary code and extract sensitive information from the host system.
“Given that signature verification remains the sole viable method for authenticating Nuclei templates, it constitutes a potential single point of vulnerability,” stated Dr. Man Goldenberg, a Wiz researcher, during a Friday briefing.
The vulnerability is rooted in the misuse of regular expressions for signature validation, leading to a parsing conflict when combining each regex with a YAML parser, thereby creating an opportunity for attackers to introduce an “r” character that bypasses the regex-based signature verification and is misinterpreted as a line break by the YAML parser.
While parsing irregularities can potentially lead to the creation of a custom Nuclei template utilizing “r” to introduce an additional “# digest:” line, this workaround effectively bypasses the signature verification process yet remains compatible with the YAML parser’s execution.
Despite Go’s regex-based signature verification treating ‘r’ as part of an identical line, the YAML parser instead interprets it as a line break. “This vulnerability allows attackers to inject malicious content that evades validation but is ultimately executed by the YAML parser,” Goldenberg explained.
“The verification logic exclusively focuses on validating the primary digest’s ‘#digest: line.” Strains are deliberately disregarded during the verification process, yet they remain within the content material to be parsed and executed as intended by YAML.
Moreover, the verification process for templates includes a crucial step: removing the signature line from the content, but this feature only validates the initial line, allowing subsequent lines to remain unchecked yet executable.
Following accountable disclosure, ProjectDiscovery responded to the matter on September 4, 2024, addressing the issue. The current model of nuclei is version 3.3.7.
Attackers might create malicious templates featuring manipulated hashtag digest strains or strategically placed newline characters to evade detection by Nuclei’s signature verification, according to Goldenberg.
“A potential attack scenario emerges when organisations execute unverified or open-source templates without adequate validation and segregation.” An attacker could potentially exploit this performance vulnerability to inject harmful templates, which could lead to the execution of arbitrary commands, theft of sensitive information, and complete system takeover.
