Plattform
nodejs
Komponente
nuxt
Behoben in
3.4.1
3.12.4
CVE-2024-34344 describes a Remote Code Execution (RCE) vulnerability within the Nuxt framework. This flaw stems from inadequate validation of the path parameter within the NuxtTestComponentWrapper component, enabling attackers to execute arbitrary JavaScript on the server-side. The vulnerability impacts versions of Nuxt prior to 3.12.4, and a patch has been released to address the issue.
The impact of this vulnerability is significant, as it allows an attacker to achieve arbitrary code execution on the server hosting the Nuxt application. This could lead to complete system compromise, including data exfiltration, modification of application logic, and installation of malware. An attacker could leverage this to gain persistent access to the server and potentially pivot to other systems within the network. The ability to execute arbitrary JavaScript grants a high degree of control over the server environment, making it a critical security concern. Exploitation could involve crafting a malicious component path that, when loaded by the NuxtTestComponentWrapper, executes attacker-controlled JavaScript.
This vulnerability was publicly disclosed on August 5, 2024. There is currently no indication of active exploitation in the wild, but the ease of exploitation and the potential impact make it a high-priority concern. No KEV listing is currently available. Public proof-of-concept exploits are likely to emerge given the vulnerability's nature and the public availability of the affected code.
Applications utilizing Nuxt versions prior to 3.12.4 are at risk, particularly those exposing the NuxtTestComponentWrapper component to untrusted input. Development environments and staging servers running vulnerable versions are also high-priority targets. Teams using automated deployment pipelines should ensure the upgrade process is prioritized.
• nodejs / server:
ps aux | grep nuxt
journalctl -u nuxt -f | grep "nuxt-root.vue"• generic web:
curl -I 'http://your-nuxt-app/path/to/vulnerable/component?path=evil.js' # Check for unusual response headers
grep 'evil.js' /var/log/nginx/access.log # Look for requests containing malicious pathsdisclosure
Exploit-Status
EPSS
1.31% (80% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-34344 is to upgrade to Nuxt version 3.12.4 or later, which includes the necessary fix. If upgrading immediately is not feasible, consider implementing temporary workarounds. One approach is to restrict access to the NuxtTestComponentWrapper component, limiting its use to trusted environments. Additionally, implement strict input validation on any user-supplied data used to construct the component path. Web application firewalls (WAFs) configured to detect and block suspicious JavaScript execution attempts could also provide a layer of protection. After upgrading, confirm the fix by attempting to load a specially crafted malicious component path and verifying that it is rejected.
Actualice Nuxt a la versión 3.12.4 o superior. Esta versión corrige la vulnerabilidad de ejecución remota de código. La actualización se puede realizar a través de npm o yarn, dependiendo de su gestor de paquetes.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-34344 is a Remote Code Execution vulnerability in Nuxt, allowing attackers to execute arbitrary JavaScript on the server due to insufficient path validation in the NuxtTestComponentWrapper component.
You are affected if you are using Nuxt versions prior to 3.12.4. Assess your Nuxt deployment to determine if it is vulnerable.
Upgrade to Nuxt version 3.12.4 or later to resolve the vulnerability. If immediate upgrade is not possible, implement WAF rules and restrict access to the vulnerable component.
While no active exploitation has been confirmed, the ease of exploitation suggests a high probability of exploitation in the near future.
Refer to the official Nuxt security advisory for detailed information and updates: https://github.com/nuxt/nuxt/security/advisories/CVE-2024-34344
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.