Full Report
A high-severity security flaw has been disclosed in ProjectDiscovery's Nuclei, a widely-used open-source vulnerability scanner that, if successfully exploited, could allow attackers to bypass signature checks and potentially execute malicious code. Tracked as CVE-2024-43405, it carries a CVSS score of 7.4 out of a maximum of 10.0. It impacts all versions of Nuclei later than 3.0.0. "The
Analysis Summary
# Vulnerability: Nuclei Template Signature Bypass Leading to Code Execution
## CVE Details
- CVE ID: CVE-2024-43405
- CVSS Score: 7.4 (High)
- CWE: Not explicitly mentioned, related to Improper Input Validation/Verification Mechanism Bypass.
## Affected Systems
- Products: ProjectDiscovery Nuclei (Vulnerability scanner)
- Versions: All versions later than 3.0.0.
- Configurations: Templates verified using the built-in signature verification process.
## Vulnerability Description
The vulnerability stems from a discrepancy between how the YAML parser and the template signature verification process handle newline characters. This allows an attacker to craft a malicious Nuclei template where a benign portion of the template is correctly signed, while injecting malicious content (that leverages the `code` protocol for execution) which bypasses the signature check. Successful exploitation allows an attacker to execute arbitrary code on the host running Nuclei by having it process the malicious template.
## Exploitation
- Status: Not explicitly stated as exploited in the wild, but the mechanism allows for unauthenticated template execution bypass.
- Complexity: Likely Medium, requiring knowledge of Nuclei template structure and the specific parsing flaw.
- Attack Vector: Network (if loading remote/uploaded malicious templates) or Local (if loading a malicious template file).
## Impact
- Confidentiality: High (Arbitrary code execution potentially allows access to sensitive host data)
- Integrity: High (Arbitrary code execution allows modification of system state)
- Availability: High (Arbitrary code execution can lead to denial of service or system compromise)
## Remediation
### Patches
- The advisory implies versions *after* 3.0.0 are affected, suggesting patches are available in subsequent releases. Users must update to the patched version provided by ProjectDiscovery. (Specific patched version numbers are not provided in the context, users must check vendor advisories).
### Workarounds
- Reliance on signature verification is the primary control that is bypassed. Until patched, the primary mitigation is to **only use trusted, first-party templates** and thoroughly vet any community or third-party templates before execution, knowing the signature verification mechanism is untrustworthy for integrity checking.
## Detection
- Indicators of Compromise: Unexpected process execution originating from the Nuclei scanner process, file system changes, or network activity inconsistent with scanning operations.
- Detection methods and tools: Monitoring for anomalous behavior around the execution contexts of Nuclei, especially when processing templates from untrusted sources. Security tooling should look for payload injection within YAML signature structures that might indicate tampering.
## References
- Vendor Advisories: [https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-7h5p-mmpp-hgmm](https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-7h5p-mmpp-hgmm)
- Discovery Source: [https://www.wiz.io/blog/nuclei-signature-verification-bypass/](https://www.wiz.io/blog/nuclei-signature-verification-bypass/)
- Original Article: [https://thehackernews.com/2025/01/researchers-uncover-nuclei.html](https://thehackernews.com/2025/01/researchers-uncover-nuclei.html)