CVE-2023-49799: `nuxt-api-party` is an open source module to proxy API requests. nuxt-api-party attempts to check if the user has passed an absolute URL to prevent th...

Description

`nuxt-api-party` is an open source module to proxy API requests. nuxt-api-party attempts to check if the user has passed an absolute URL to prevent the aforementioned attack. This has been recently changed to use the regular expression `^https?://`, however this regular expression can be bypassed by an absolute URL with leading whitespace. For example `\nhttps://whatever.com` which has a leading newline. According to the fetch specification, before a fetch is made the URL is normalized. "To normalize a byte sequence potentialValue, remove any leading and trailing HTTP whitespace bytes from potentialValue.". This means the final request will be normalized to `https://whatever.com` bypassing the check and nuxt-api-party will send a request outside of the whitelist. This could allow us to leak credentials or perform Server-Side Request Forgery (SSRF). This vulnerability has been addressed in version 0.22.1. Users are advised to upgrade. Users unable to upgrade should revert to the previous method of detecting absolute URLs.

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Probability

0.82%

52.5th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-918

Affected Software

Vendor	Product	Versions
Johannschopplich	Nuxt Api Party	<= 0.21.3

References

https://fetch.spec.whatwg.org/Not Applicable
https://fetch.spec.whatwg.org/#http-whitespace-byteNot Applicable
https://github.com/johannschopplich/nuxt-api-party/blob/777462e1e3af1d9f8938aa33f230cd8cb6e0cc9a/src/runtime/server/handler.ts#L31Issue Tracking
https://github.com/johannschopplich/nuxt-api-party/security/advisories/GHSA-3wfp-253j-5jxvExploit, Mitigation, Vendor Advisory
https://infra.spec.whatwg.org/#byte-sequenceNot Applicable
https://fetch.spec.whatwg.org/Not Applicable
https://fetch.spec.whatwg.org/#http-whitespace-byteNot Applicable
https://github.com/johannschopplich/nuxt-api-party/blob/777462e1e3af1d9f8938aa33f230cd8cb6e0cc9a/src/runtime/server/handler.ts#L31Issue Tracking
https://github.com/johannschopplich/nuxt-api-party/security/advisories/GHSA-3wfp-253j-5jxvExploit, Mitigation, Vendor Advisory
https://infra.spec.whatwg.org/#byte-sequenceNot Applicable

Timeline

Published: Dec 9, 2023
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2023-49799?

`nuxt-api-party` is an open source module to proxy API requests. nuxt-api-party attempts to check if the user has passed an absolute URL to prevent the aforementioned attack. This has been recently changed to use the regular expression `^https?://`, however this regular expression can be bypassed by an absolute URL with leading whitespace. For example `\nhttps://whatever.com` which has a leading newline. According to the fetch specification, before a fetch is made the URL is normalized. "To normalize a byte sequence potentialValue, remove any leading and trailing HTTP whitespace bytes from potentialValue.". This means the final request will be normalized to `https://whatever.com` bypassing the check and nuxt-api-party will send a request outside of the whitelist. This could allow us to leak credentials or perform Server-Side Request Forgery (SSRF). This vulnerability has been addressed in version 0.22.1. Users are advised to upgrade. Users unable to upgrade should revert to the previous method of detecting absolute URLs.

How severe is CVE-2023-49799?

CVE-2023-49799 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 0.82% probability of exploitation in the next 30 days.

How do I fix CVE-2023-49799?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.