Denial of service by abusing `fetchOptions.retry` in nuxt-api-party

Vulnerability

CVE-2023-49800 is a denial-of-service (DoS) vulnerability in the Nuxt module nuxt-api-party, an open-source library that proxies API requests. The root cause is that the module passes user-supplied fetchOptions directly to the underlying HTTP client, ofetch, without filtering which options are allowed [1][3]. The retry option, which controls the number of automatic retries on failure, can be abused to cause a stack overflow.

Exploitation

An attacker can send a single POST request to any proxied endpoint (e.g., /api/__api_party/) with a JSON body containing a path that will force a fetch failure (such as an invalid protocol like x:x) and an extremely high retry value (e.g., 9999999) [3]. Since ofetch handles errors recursively, each failed attempt triggers another retry, quickly exhausting the call stack. The attack does not require authentication or any special privileges other than network access to the Nuxt application [1][3].

Impact

Successful exploitation causes the Node.js server to crash or become completely unresponsive, resulting in a full denial of service. The advisory notes that the server is unusable during the attack and that a single request is sufficient [3]. No data is compromised, but service availability is destroyed.

Mitigation

The issue has been fixed in nuxt-api-party version 0.22.1. Users should upgrade immediately [1][3]. For those unable to upgrade, the recommended workaround is to limit the fetchOptions that can be passed to ofetch at the application level, such as stripping or validating the retry parameter before forwarding the request [1].