CVE-2023-37896

Name of the Vulnerable Software and Affected Versions Nuclei versions prior to 2.9.9

Description The issue is related to sanitization problems with payload loading in sandbox mode, affecting users who utilize Nuclei as Go code (SDK) running custom templates. This does not affect CLI users. The problem occurs due to relative paths not being converted to absolute paths before checking the sandbox flag, allowing arbitrary files to be read on the filesystem in certain cases. The maintainers have enabled sandbox by default for filesystem loading, which can be optionally disabled. The -sandbox option has been deprecated and is now divided into two new options: -lfa (allow local file access) and -lna (restrict local network access).

Recommendations To resolve the issue, upgrade to version 2.9.9, which includes the security fix. For versions prior to 2.9.9, consider disabling the use of custom templates in Go SDK implementation until the upgrade is applied. As a temporary workaround, consider disabling the sandbox mode or restricting local file access to minimize the risk of exploitation.