CVE-2024-42352: Nuxt Icon affected by a Server-Side Request Forgery (SSRF)

August 5, 2024

nuxt/icon provides an API to allow client side icon lookup. This endpoint is at /api/_nuxt_icon/[name].

The proxied request path is improperly parsed, allowing an attacker to change the scheme and host of the request. This leads to SSRF, and could potentially lead to sensitive data exposure.

References

github.com/advisories/GHSA-cxgv-px37-4mp2
github.com/nuxt/icon
github.com/nuxt/icon/commit/4564518c2b2ed8235a7715056ccdfce96ca3d0ff
github.com/nuxt/icon/security/advisories/GHSA-cxgv-px37-4mp2
nvd.nist.gov/vuln/detail/CVE-2024-42352

Code Behaviors & Features

Detect and mitigate CVE-2024-42352 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →