Cyber Resilience

CVE-2024-43405

High

Published: 04 September 2024

Published
04 September 2024
Modified
01 October 2024
KEV Added
Patch
CVSS Score v3.1 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.0561 90.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-43405 is a high-severity OS Command Injection (CWE-78) vulnerability in Projectdiscovery Nuclei. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked in the top 9.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Nuclei is a vulnerability scanner that relies on YAML-based templates, and CVE-2024-43405 affects versions 3.0.0 through 3.3.1. The flaw resides in the signer package responsible for template signature verification. A mismatch in newline handling between the verification logic and the YAML parser, combined with support for multiple signatures, permits an attacker to inject malicious content while preserving a valid signature on the benign portion of the template. The issue is tracked as CWE-78 and carries a CVSS 3.1 score of 7.4.

An attacker who supplies a crafted custom code template can bypass the signature check and achieve code execution on the system running Nuclei. CLI users are exposed when they load templates from untrusted third-party sources or repositories, while SDK integrators are exposed when their platforms allow end users to execute such templates. Successful exploitation can result in high-impact confidentiality and integrity compromise without requiring local privileges or user interaction beyond template execution.

The project’s security advisory and the patch commit at version 3.3.2 recommend immediate upgrade. As interim controls, organizations should avoid running custom templates or disable custom code template execution entirely until the update can be applied. The EPSS score remains low, with a current value of 0.0561 and a peak of 0.0624, indicating limited observed exploitation interest to date.

EU & UK References

Vulnerability details

Nuclei is a vulnerability scanner powered by YAML based templates. Starting in version 3.0.0 and prior to version 3.3.2, a vulnerability in Nuclei's template signature verification system could allow an attacker to bypass the signature check and possibly execute malicious…

more

code via custom code template. The vulnerability is present in the template signature verification process, specifically in the `signer` package. The vulnerability stems from a discrepancy between how the signature verification process and the YAML parser handle newline characters, combined with the way multiple signatures are processed. This allows an attacker to inject malicious content into a template while maintaining a valid signature for the benign part of the template. CLI users are affected if they execute custom code templates from unverified sources. This includes templates authored by third parties or obtained from unverified repositories. SDK Users are affected if they are developers integrating Nuclei into their platforms, particularly if they permit the execution of custom code templates by end-users. The vulnerability is addressed in Nuclei v3.3.2. Users are strongly recommended to update to this version to mitigate the security risk. As an interim measure, users should refrain from using custom templates if unable to upgrade immediately. Only trusted, verified templates should be executed. Those who are unable to upgrade Nuclei should disable running custom code templates as a workaround.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1211 Exploitation for Stealth Stealth
Adversaries may exploit vulnerabilities to evade detection by hiding activity, suppressing logging, or operating within trusted or unmonitored components.
T1553.002 Code Signing Defense Impairment
Adversaries may create, acquire, or steal code signing materials to sign their malware or tools.
Why these techniques?

Vulnerability in template signature verification enables injection of malicious shell commands (T1059/T1059.004) past the check due to newline discrepancy, subverting signing trust controls (T1553.002) and exploiting for defense evasion (T1211).

Affected Assets

projectdiscovery
nuclei
3.0.0 — 3.3.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References