A high-severity security vulnerability has been discovered in Nuclei, a popular open-source security scanning tool used by organizations worldwide. The flaw, identified as CVE-2024-43405, could allow attackers to bypass Nuclei's signature verification system and execute malicious code.
Nuclei, with over 21,000 GitHub stars and 2.1 million downloads, is widely deployed for detecting vulnerabilities across digital assets. The discovered bypass vulnerability stems from inconsistencies between how Nuclei's signature verification process and YAML parser handle template content.
The Technical Details
The vulnerability arises from three key weaknesses in Nuclei's implementation:
- Parser Inconsistencies - Different handling of line breaks between Go's regex-based signature verification and the YAML parser
- First-Signature Trust - Only the first signature line is validated while additional ones are ignored
- Inconsistent Signature Removal - All signature lines are removed from hashed content but only the first is verified
An attacker could exploit these issues by crafting malicious templates with manipulated signature lines and carefully placed line breaks to bypass verification while still executing harmful code.
Real-World Impact
Organizations running untrusted or community-contributed Nuclei templates without proper isolation are at risk. Services allowing template uploads or modifications are particularly vulnerable. Successful exploitation could lead to:
- Arbitrary command execution
- Data exfiltration
- System compromise
Recommended Actions
Users should:
- Update to Nuclei version 3.3.2 or higher
- Run Nuclei in isolated, sandboxed environments
- Validate all template sources
The vulnerability was responsibly disclosed to ProjectDiscovery in August 2024. They quickly acknowledged the issue and released a patched version in September 2024.
This discovery emphasizes the need for robust verification mechanisms and defense-in-depth security approaches when dealing with template-based security tools.