プラットフォーム
nodejs
コンポーネント
@nuxt/icon
修正版
1.4.6
1.4.5
CVE-2024-42352 describes a Server-Side Request Forgery (SSRF) vulnerability within the @nuxt/icon component, a popular tool for managing icons in Nuxt.js applications. This flaw allows attackers to manipulate the request path, potentially leading to unauthorized access to internal resources and sensitive data. The vulnerability impacts versions of @nuxt/icon before 1.4.5, and a patch has been released.
The SSRF vulnerability in @nuxt/icon arises from improper handling of the proxied request path within the /api/nuxticon/[name] endpoint. Attackers can exploit this by crafting malicious URLs that alter the request's scheme and host. This manipulation allows them to send requests to unintended internal services or external resources, potentially bypassing security controls. Successful exploitation could lead to the exposure of sensitive data, such as internal configuration files, database credentials, or even access to other internal systems. The blast radius extends to any internal resource accessible via HTTP or HTTPS from the server hosting the Nuxt.js application.
CVE-2024-42352 was publicly disclosed on August 5, 2024. There is currently no indication of active exploitation in the wild, nor is it listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not widely available, but the vulnerability's nature makes it relatively straightforward to exploit given access to a vulnerable application instance. The EPSS score is likely to be assessed as medium due to the ease of exploitation and potential impact.
Applications using @nuxt/icon version 1.4.4 or earlier are at risk. This includes Nuxt.js projects relying on this component for icon management. Shared hosting environments where the application server has limited network access controls are particularly vulnerable, as an attacker could potentially leverage the SSRF to access other services on the same host.
• nodejs / server:
ps aux | grep _nuxt_icon• nodejs / server:
find / -name "_nuxt_icon/[name]" -type f 2>/dev/null• generic web:
curl -I http://your-nuxt-app.com/api/_nuxt_icon/malicious_urlInspect the response headers for unexpected hostnames or schemes.
disclosure
エクスプロイト状況
EPSS
0.08% (25% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2024-42352 is to upgrade to @nuxt/icon version 1.4.5 or later. This version includes a fix that properly validates and sanitizes the request path, preventing the SSRF vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests with suspicious URL patterns, specifically those attempting to manipulate the scheme or host. Additionally, restrict network access from the Nuxt.js server to only necessary internal resources to minimize the potential impact of a successful SSRF attack. After upgrading, confirm the fix by attempting to craft a malicious URL designed to trigger the SSRF and verifying that the request is properly blocked.
パッケージ `@nuxt/icon` をバージョン 1.4.5 以降にアップデートしてください。これにより SSRF の脆弱性が修正されます。`npm update @nuxt/icon` または `yarn upgrade @nuxt/icon` を実行してパッケージをアップデートしてください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2024-42352 is a Server-Side Request Forgery vulnerability in the @nuxt/icon component, allowing attackers to manipulate request paths and potentially access internal resources.
Yes, if you are using @nuxt/icon versions prior to 1.4.5, you are vulnerable to this SSRF vulnerability.
Upgrade to @nuxt/icon version 1.4.5 or later to remediate the vulnerability. Consider WAF rules as a temporary workaround.
There is currently no public evidence of active exploitation, but the vulnerability's nature makes it easily exploitable.
Refer to the official @nuxt/icon release notes and GitHub repository for updates and advisories related to this vulnerability.