CVE-2024-43405 Overview
CVE-2024-43405 is a signature verification bypass vulnerability in ProjectDiscovery's Nuclei vulnerability scanner. This flaw allows attackers to circumvent the template signature verification system, potentially enabling the execution of malicious code through custom code templates. The vulnerability affects Nuclei versions from 3.0.0 to versions prior to 3.3.2.
Critical Impact
Attackers can inject malicious content into Nuclei templates while maintaining a valid signature for benign portions, potentially leading to arbitrary code execution on systems running unverified templates.
Affected Products
- ProjectDiscovery Nuclei versions 3.0.0 through 3.3.1
- Nuclei CLI users executing custom code templates from unverified sources
- SDK integrations permitting execution of custom code templates by end-users
Discovery Timeline
- September 4, 2024 - CVE-2024-43405 published to NVD
- October 1, 2024 - Last updated in NVD database
Technical Details for CVE-2024-43405
Vulnerability Analysis
The vulnerability resides in Nuclei's template signature verification process, specifically within the signer package. The core issue stems from a parsing discrepancy between how the signature verification process and the YAML parser handle newline characters. This inconsistency, combined with the way multiple signatures are processed, creates an exploitable gap in the security model.
When Nuclei processes a template, the signature verification component and the YAML parser interpret newline characters differently. An attacker can exploit this discrepancy to craft a malicious template that appears valid to the signature verification system while containing injected malicious content that the YAML parser will execute. This effectively allows the attacker to maintain a valid signature for the benign portion of a template while embedding arbitrary malicious payloads.
Root Cause
The root cause is classified as CWE-78 (OS Command Injection). The vulnerability arises from improper handling of newline characters during signature verification, creating a mismatch between what is verified and what is actually parsed and executed. The signature verification process fails to account for all possible newline representations that the YAML parser accepts, allowing content to be inserted after the verified portion.
Attack Vector
The attack requires local access with user interaction. An attacker must convince a victim to download and execute a malicious Nuclei template from an untrusted source. The attack is particularly dangerous because:
- The malicious template appears to have a valid signature
- Security-conscious users who rely on signature verification may be lulled into a false sense of security
- Once executed, the template can run arbitrary code with the privileges of the Nuclei process
The vulnerability exploits the trust model of Nuclei's template ecosystem. Attackers can inject malicious content by manipulating newline character handling differences between the signature verification and YAML parsing components. This allows crafted templates to pass signature checks while containing unauthorized executable code.
Detection Methods for CVE-2024-43405
Indicators of Compromise
- Nuclei templates containing unusual or unexpected newline character sequences
- Templates with multiple signature blocks or signatures placed in non-standard locations
- Unexpected outbound network connections or system commands executed during template scans
- Modified or newly created files following Nuclei template execution
Detection Strategies
- Monitor file integrity of Nuclei template directories for unauthorized modifications
- Implement logging for all custom code template executions in Nuclei
- Review template sources and compare against known-good templates from official repositories
- Deploy endpoint detection solutions to monitor for suspicious process spawning by Nuclei
Monitoring Recommendations
- Enable verbose logging in Nuclei to capture template execution details
- Monitor for templates originating from untrusted or third-party sources
- Implement network monitoring for anomalous traffic patterns during vulnerability scans
- Audit SDK integrations to ensure template validation occurs before execution
How to Mitigate CVE-2024-43405
Immediate Actions Required
- Upgrade Nuclei to version 3.3.2 or later immediately
- Audit all custom templates currently in use and verify their sources
- Suspend execution of custom code templates from unverified sources until patched
- Review recent scan logs for any suspicious template behavior
Patch Information
ProjectDiscovery has addressed this vulnerability in Nuclei version 3.3.2. The fix is available in commit 0da993afe6d41b4b1b814e8fad23a2acba13c60a. Users should update to this version to fully mitigate the security risk. Additional details are available in the GitHub Security Advisory.
Workarounds
- Disable custom code template execution entirely if unable to upgrade immediately
- Only execute templates from the official ProjectDiscovery template repository
- Implement strict access controls to prevent untrusted templates from being loaded
- Consider running Nuclei in a sandboxed or containerized environment to limit potential impact
# Verify Nuclei version and upgrade
nuclei -version
# If running version < 3.3.2, upgrade immediately:
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
# Or download the latest release from GitHub
# Restrict template sources to official repository only
nuclei -ut # Update templates from official sources
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
