Vulnerability description
Nuxt.js (Nuxt for short) is a general-purpose application framework based on Vue.js for building server-side rendered applications (SSR) and statically generated websites.
There is a code injection vulnerability in the dynamic import function of the test-component-wrapper component in versions prior to Nuxt.js 3.4.3. When the server is running in development mode and the version of Node.js is 12+, the attacker can exploit EMCAScript's The data: import' function imports malicious code or imports gadgets from node_modules to execute malicious code remotely.
Vulnerability name | Nuxt.js < 3.4.3 Remote Code Execution Vulnerability |
---|---|
Vulnerability type | code injection |
Discovery time | 2023/6/14 |
Vulnerability Breadth | wide |
MPS number | MPS-jfyi-nmsv |
CVE number | CVE-2023-3224 |
CNVD number | - |
Sphere of influence
nuxt@[0.0.1, 3.4.3)
Repair plan
Avoid running Nuxt.js in development mode
reference link
https://www.oscs1024.com/hd/MPS-jfyi-nmsv
https://nvd.nist.gov/vuln/detail/CVE-2023-3224
https://huntr.dev/bounties/1eb74fd8-0258-4c1f-a904-83b52e373a87/
https://github.com/nuxt/nuxt/commit/65a8f4eb3ef1b249a95fd59e323835a96428baff
About Murphy Security
Murphy Security is a technology company that provides you with professional software supply chain security management. The core team comes from Baidu, Huawei, Wuyun and other enterprises. The company provides customers with a complete software supply chain security management platform, and provides software with a full life cycle around SBOM Security management, platform capabilities include software component analysis, source security management, container image detection, vulnerability intelligence early warning and commercial software supply chain access assessment and other products. Provide customers with complete control capabilities from supply chain asset identification management, risk detection, security control, and one-key repair.
Open source project: https://github.com/murphysecurity/murphysec/?sf=qbyj
The product can be integrated with various tools in the existing development process at a very low cost, including seamless integration with dozens of tools such as IDE, Gitlab, Bitbucket, Jenkins, Harbor, and Nexus.
Free code security detection tool: https://www.murphysec.com/?sf=qbyj
Free intelligence subscription: https://www.oscs1024.com/cm/?sf=qbyj