CVE-2024-43405
Published: 04 September 2024
Summary
CVE-2024-43405 is a high-severity OS Command Injection (CWE-78) vulnerability in Projectdiscovery Nuclei. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked in the top 9.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Nuclei is a vulnerability scanner that relies on YAML-based templates, and CVE-2024-43405 affects versions 3.0.0 through 3.3.1. The flaw resides in the signer package responsible for template signature verification. A mismatch in newline handling between the verification logic and the YAML parser, combined with support for multiple signatures, permits an attacker to inject malicious content while preserving a valid signature on the benign portion of the template. The issue is tracked as CWE-78 and carries a CVSS 3.1 score of 7.4.
An attacker who supplies a crafted custom code template can bypass the signature check and achieve code execution on the system running Nuclei. CLI users are exposed when they load templates from untrusted third-party sources or repositories, while SDK integrators are exposed when their platforms allow end users to execute such templates. Successful exploitation can result in high-impact confidentiality and integrity compromise without requiring local privileges or user interaction beyond template execution.
The project’s security advisory and the patch commit at version 3.3.2 recommend immediate upgrade. As interim controls, organizations should avoid running custom templates or disable custom code template execution entirely until the update can be applied. The EPSS score remains low, with a current value of 0.0561 and a peak of 0.0624, indicating limited observed exploitation interest to date.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-2747
Vulnerability details
Nuclei is a vulnerability scanner powered by YAML based templates. Starting in version 3.0.0 and prior to version 3.3.2, a vulnerability in Nuclei's template signature verification system could allow an attacker to bypass the signature check and possibly execute malicious…
more
code via custom code template. The vulnerability is present in the template signature verification process, specifically in the `signer` package. The vulnerability stems from a discrepancy between how the signature verification process and the YAML parser handle newline characters, combined with the way multiple signatures are processed. This allows an attacker to inject malicious content into a template while maintaining a valid signature for the benign part of the template. CLI users are affected if they execute custom code templates from unverified sources. This includes templates authored by third parties or obtained from unverified repositories. SDK Users are affected if they are developers integrating Nuclei into their platforms, particularly if they permit the execution of custom code templates by end-users. The vulnerability is addressed in Nuclei v3.3.2. Users are strongly recommended to update to this version to mitigate the security risk. As an interim measure, users should refrain from using custom templates if unable to upgrade immediately. Only trusted, verified templates should be executed. Those who are unable to upgrade Nuclei should disable running custom code templates as a workaround.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in template signature verification enables injection of malicious shell commands (T1059/T1059.004) past the check due to newline discrepancy, subverting signing trust controls (T1553.002) and exploiting for defense evasion (T1211).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.