VYPR
← All advisories
High severityNVD Advisory· Published Dec 8, 2023· Updated Nov 27, 2024

Server-Side Request Forgery in nuxt-api-party

CVE-2023-49799

Description

Nuxt API Party module SSRF due to incomplete regex URL validation bypassed by leading whitespace.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Nuxt API Party module SSRF due to incomplete regex URL validation bypassed by leading whitespace.

Vulnerability

Analysis

CVE-2023-49799 is a Server-Side Request Forgery (SSRF) vulnerability in the nuxt-api-party module, an open-source Nuxt module that proxies API requests. The module attempts to validate user-supplied URLs by checking if they start with https?:// using the regular expression ^https?://. However, this check is insufficient because the Fetch Standard (as defined in the WHATWG Fetch specification) normalizes URLs by removing leading and trailing HTTP whitespace bytes before issuing the request [1][3]. A URL like \nhttps://attacker.com passes the regex check (since it does not start with https:// but with a newline), yet after normalization it becomes a valid absolute URL to an external host, bypassing the whitelist [4].

Exploitation

An attacker with the ability to supply a URL to an application using nuxt-api-party (e.g., through an input field or API parameter) can craft a payload that begins with HTTP whitespace characters, such as a newline or space. The module’s validation logic rejects any string that starts with http or https, but fails to account for leading whitespace. When the Fetch API processes the request, it normalizes the URL by stripping those whitespace bytes, resulting in a valid request to an attacker-controlled server [1][2][3]. No authentication or special network position is required if the vulnerable endpoint is publicly accessible.

Impact

Successful exploitation allows an attacker to perform Server-Side Request Forgery (SSRF), potentially leaking sensitive credentials stored in HTTP cookies, TLS client certificates, or HTTP authentication entries [1]. The attacker could also use the server as a proxy to reach internal systems, perform port scans, or access cloud metadata endpoints, depending on the application’s configuration.

Mitigation

The vulnerability has been addressed in nuxt-api-party version 0.22.1. Users are strongly advised to upgrade immediately. For those unable to upgrade, the recommended workaround is to revert to the previous method of detecting absolute URLs, which was more robust. No other mitigations are currently available [4].

References
  1. Fetch Standard
  2. Infra Standard
  3. Fetch Standard
  4. NVD - CVE-2023-49799

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
nuxt-api-partynpm
< 0.22.00.22.0

Affected products

2

Patches

1
72762a200fc1

fix(server): block bypassing absolute URL with leading whitespace

https://github.com/johannschopplich/nuxt-api-partyJohann SchopplichDec 8, 2023via ghsa
commit
1 file changed · +1 1
  • src/runtime/server/handler.ts+1 1 modified
    @@ -28,7 +28,7 @@ export default defineEventHandler(async (event): Promise<any> => {
   } = _body
 
   // Check if the path is an absolute URL
-  if (/^https?:\/\//.test(path)) {
+  if (new URL(path, 'http://localhost').origin !== 'http://localhost') {
     throw createError({
       statusCode: 400,
       statusMessage: 'Absolute URLs are not allowed',

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.