Dev mode Path traversal in nuxt/framework

Valid

Reported on

Oct 27th 2022

Description

Vite is misconfigured within nuxt to permit any file to be retrieved from the file system.

Root Cause

Vite configuration has strict set to false.

Exploitation

Requirements:

Server must be running in developer mode

Vulnerability can be exploited using paths like the following /_nuxt/@fs/etc/passwd

Proof of Concept

Deploy default playground, http://server/_nuxt/@fs/etc/passwd

Impact

This vulnerability permits arbitrary file reads while the dev server is running.

This can provide a wide range of sensitive information on the target server depending on configuration.

Dev mode servers exposed to the internet are a occurrence, Shodan reveals about 100 deployments that would likely be vulnerable in this case.

Occurrences

vite.ts L67

Strict set to false

References

Information on strict setting

We are processing your report and will contact the nuxt/framework team within 24 hours. 5 months ago

We have contacted a member of the nuxt/framework team and are waiting to hear back 5 months ago

OhB00

commented 5 months ago

Researcher

Same issue in bridge https://github.com/nuxt/bridge/blob/137e612b8424512fc436f86b1677145e5b9fdc1a/src/vite/vite.ts#L94

We have sent a follow up to the nuxt/framework team. We will try again in 7 days. 5 months ago

pooya parsa

commented 5 months ago

PR landed to enable vite fs strict mode: https://github.com/nuxt/framework/pull/8674

pooya parsa

commented 5 months ago

/cc @danielroe about bridge

We have sent a second follow up to the nuxt/framework team. We will try again in 10 days. 4 months ago

OhB00

commented 4 months ago

Researcher

Looks fixed to me, should probably hold off publishing this until bridge is fixed.

We have sent a third and final follow up to the nuxt/framework team. This report is now considered stale. 4 months ago

OhB00

commented 3 months ago

Researcher

Seems fixed https://github.com/nuxt/bridge/commit/4aaf4eb188652af5ba9253d8ecf7319d2db4f951

pooya parsa validated this vulnerability a month ago

OhB00 has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Daniel Roe marked this as fixed in 3.0.0-rc.13 with commit 44b410 a month ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

vite.ts#L67 has been validated

Daniel Roe published this vulnerability a month ago

to join this conversation

We are processing your report and will contact the nuxt/framework team within 24 hours. 5 months ago

We have contacted a member of the nuxt/framework team and are waiting to hear back 5 months ago

OhB00

commented 5 months ago

Researcher

Same issue in bridge https://github.com/nuxt/bridge/blob/137e612b8424512fc436f86b1677145e5b9fdc1a/src/vite/vite.ts#L94

We have sent a follow up to the nuxt/framework team. We will try again in 7 days. 5 months ago

pooya parsa

commented 5 months ago

PR landed to enable vite fs strict mode: https://github.com/nuxt/framework/pull/8674

pooya parsa

commented 5 months ago

/cc @danielroe about bridge

We have sent a second follow up to the nuxt/framework team. We will try again in 10 days. 4 months ago

OhB00

commented 4 months ago

Researcher

Looks fixed to me, should probably hold off publishing this until bridge is fixed.

We have sent a third and final follow up to the nuxt/framework team. This report is now considered stale. 4 months ago

OhB00

commented 3 months ago

Researcher

Seems fixed https://github.com/nuxt/bridge/commit/4aaf4eb188652af5ba9253d8ecf7319d2db4f951

pooya parsa validated this vulnerability a month ago

OhB00 has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Daniel Roe marked this as fixed in 3.0.0-rc.13 with commit 44b410 a month ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

vite.ts#L67 has been validated

Daniel Roe published this vulnerability a month ago

to join this conversation