Gnuletik

**Name of the Vulnerable Software and Affected Versions** Nuclei versions 3.0.0 through 3.7.9 **Description** A flaw in the expression evaluation engine allows a malicious target server to inject and execute supported Domain Specific Language (DSL) expressions. This occurs when HTTP response data containing helper or function syntax is reused by multi-step templates. The `expressions.Evaluate()` function replaces placeholders first and then scans the output for expressions; this two-pass process allows response-derived values to be reinterpreted as DSL syntax. Additionally, the `hasLiteralsOnly()` function evaluated helper expressions during unresolved-variable validation, causing side-effectful helpers to run. If the `-env-vars` or `-ev` option is enabled, an attacker can return response data containing expressions like `{{env var name}}` to expose sensitive host environment variables such as API keys, credentials, and tokens. **Recommendations** Update to version 3.8.0. Disable the `-env-vars` or `-ev` option when scanning untrusted targets.