Nuclei Vulnerability Scanner Expression Evaluation Vulnerability Allows Environment Variable Injection

A vulnerability exists in the Nuclei vulnerability scanner, specifically in versions 3.0.0 prior to 3.8.0. The issue arises in the expression evaluation engine, where a malicious target server can inject and execute DSL expressions. This vulnerability is triggered when HTTP response data containing helper or function syntax is reused by multi-step templates. If the '-env-vars' or '-ev' option is enabled, this can lead to the exposure of host environment variables. However, this option is off by default, so standard configurations are not at risk. The vulnerability has been patched in version 3.8.0.

Impact

Exploitation of this vulnerability allows for the injection of DSL expressions, which can be executed during the template evaluation process. If the '-env-vars' option is enabled, this can result in the disclosure of sensitive environment variables, such as API keys and tokens.

Reproduction

To reproduce this vulnerability, use Nuclei version 3.0.0 prior to 3.8.0 and enable the '-env-vars' or '-ev' option. Run a multi-step template that extracts values from the response and reuses them in subsequent requests. The injected expressions can then access environment variables, exposing sensitive information.

Remediation

Upgrade to Nuclei version 3.8.0, which addresses the vulnerability by changing the evaluation logic to only process template-authored expressions and prevent the reinterpretation of response-derived values.