Home > Vulnerability Database > CVE-2023-49800

Mend.io Vulnerability Database

CVE-2023-49800

Good to know:

Date: December 8, 2023

"nuxt-api-party" is an open source module to proxy API requests. The library allows the user to send many options directly to "ofetch". There is no filter on which options are available. We can abuse the retry logic to cause the server to crash from a stack overflow. fetchOptions are obtained directly from the request body. A malicious user can construct a URL known to not fetch successfully, then set the retry attempts to a high value, this will cause a stack overflow as ofetch error handling works recursively resulting in a denial of service. This issue has been addressed in version 0.22.1. Users are advised to upgrade. Users unable to upgrade should limit ofetch options.

Language: TYPE_SCRIPT

Severity Score

7.5

Related Resources (4)

Url: https://github.com/johannschopplich/nuxt-api-party/security/advisories/GHSA-q6hx-3m4p-749h

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-49800

Url: https://github.com/johannschopplich/nuxt-api-party

Url: https://www.mend.io/vulnerability-database/CVE-2023-49800

Severity Score

7.5

Weakness Type (CWE)

Out-of-bounds Write

CWE-787

Uncontrolled Resource Consumption

CWE-400

Uncontrolled Recursion

CWE-674

Top Fix

Upgrade Version

Upgrade to version nuxt-api-party - 0.22.1

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-49800

Good to know:

Date: December 8, 2023

Language: TYPE_SCRIPT

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?