CVE-2023-49799

Name of the Vulnerable Software and Affected Versions nuxt-api-party versions prior to 0.22.1

Description The issue arises from a recent change in the detection of absolute URLs, which is no longer sufficient to prevent Server-Side Request Forgery (SSRF). The regular expression ^https?:// used to check for absolute URLs can be bypassed by an absolute URL with leading whitespace, such as https://whatever.com. According to the fetch specification, before a fetch is made, the URL is normalized by removing any leading and trailing HTTP whitespace bytes. This means the final request will be normalized to https://whatever.com, bypassing the check and allowing nuxt-api-party to send a request outside of the whitelist. This could allow attackers to leak credentials or perform SSRF.

Recommendations For versions prior to 0.22.1, upgrade to version 0.22.1 or later. As a temporary workaround for users unable to upgrade, revert to the previous method of detecting absolute URLs by using the condition if (new URL(path, 'http://localhost').origin !== 'http://localhost').