Researchers Uncover Nuclei Vulnerability Enabling Signature Bypass and Code Execution

A high-severity security flaw, tracked as CVE-2024-43405, has been disclosed in ProjectDiscovery's Nuclei, a widely-used open-source vulnerability scanner. This vulnerability allows attackers to bypass signature checks and potentially execute malicious code13.

Key Highlights:

• Vulnerability Description: The vulnerability stems from a discrepancy between how the signature verification process and the YAML parser handle newline characters, combined with the way multiple signatures are processed1.
• Impact: This allows an attacker to inject malicious content into a template while maintaining a valid signature for the benign part of the template. Successful exploitation could lead to arbitrary command execution, data exfiltration, or system compromise13.
• CVSS Score: The vulnerability has a CVSS score of 7.4 out of a maximum of 10.0, indicating its high severity1.
• Affected Versions: The vulnerability impacts all versions of Nuclei later than 3.0.01.
• Fix: The vulnerability was addressed by ProjectDiscovery on September 4, 2024, with version 3.3.2. The current version of Nuclei is 3.3.71.

Detailed Context:

The vulnerability arises from the use of regular expressions (regex) for signature validation and the parsing conflict between regex and YAML parser. Specifically, the Go's regex-based signature verification treats "\r" as part of the same line, while the YAML parser interprets it as a line break. This mismatch allows attackers to inject content that bypasses verification but is executed by the YAML parser1.

Trustworthy Citations:

• The Hacker News: "Researchers Uncover Nuclei Vulnerability Enabling Signature Bypass" (January 2025)1.
• Hack Hunting: "CVE-2024-43405: Nuclei Vulnerability allows Attackers to Execute Remote Code" (January 2025)3.

This vulnerability highlights the importance of proper validation and isolation of templates in vulnerability scanning tools to prevent such attacks.