CVE-2024-40641

Name of the Vulnerable Software and Affected Versions Nuclei versions prior to 3.3.0

Description A way to execute code templates without the -code option and signature has been discovered in Nuclei. This issue affects some web applications that inherit from Nuclei and allow users to edit and execute workflow files, potentially enabling users to execute arbitrary commands. The issue has been addressed in version 3.3.0.

Recommendations For versions prior to 3.3.0, upgrade to version 3.3.0 to resolve the issue. As a temporary workaround, consider restricting access to workflow files and disabling the execution of unsigned code templates until the upgrade is applied. Avoid using the workflows field in YAML files to pretend to be a workflow file, as this can be used to execute arbitrary commands.