Nuclei Local File Read Vulnerability in JavaScript Runtime

A local file read vulnerability has been identified in Nuclei versions 3.0.0 prior to 3.8.0. The issue arises in the JavaScript protocol runtime, where the default file access restrictions are bypassed, allowing templates to read local .js and .json files using the require() function. This vulnerability could expose sensitive information from files like package.json or other JSON configuration files. The problem has been addressed in Nuclei version 3.8.0.

Impact

Exploitation of this vulnerability allows JavaScript templates to read local .js and .json files, bypassing default access restrictions. This could lead to the unintentional disclosure of sensitive information from files such as package.json or other JSON configuration files.

Reproduction

To reproduce this vulnerability, use Nuclei versions 3.0.0 prior to 3.8.0 and run a JavaScript template that utilizes the require() function to access local .js or .json files. The template can be placed in a directory outside the allowed file access path, demonstrating how the vulnerability bypasses restrictions.

Remediation

Upgrade to Nuclei version 3.8.0 or later, where this vulnerability has been fixed. If an immediate upgrade is not possible, avoid running untrusted JavaScript templates, as there is no available flag or configuration to mitigate this issue in the affected versions.