CVE-2023-49799: 
JavaScript vulnerability analysis and mitigation

nuxt-api-party is an open source module to proxy API requests. A vulnerability was discovered in versions up to 0.21.3 where the module attempts to check if the user has passed an absolute URL to prevent attacks using a regular expression ^https?://. However, this check can be bypassed by an absolute URL with leading whitespace (e.g., \nhttps://whatever.com), which gets normalized during fetch operations, potentially allowing credential leaks or Server-Side Request Forgery (SSRF). This vulnerability was fixed in version 0.22.1. (GitHub Advisory, NVD)

The vulnerability stems from an insufficient URL validation mechanism. When a fetch request is made, the URL is normalized according to the fetch specification, which removes any leading and trailing HTTP whitespace bytes. This means that a URL with leading whitespace like \nhttps://whatever.com would be normalized to https://whatever.com, bypassing the regular expression check ^https?:// used by nuxt-api-party. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. (GitHub Advisory, Fetch Spec)

The vulnerability could allow attackers to leak credentials or perform Server-Side Request Forgery (SSRF) by bypassing the URL validation mechanism. This could potentially lead to unauthorized access to internal resources or exposure of sensitive API credentials. (GitHub Advisory)

Users are advised to upgrade to version 0.22.1 which contains the fix. For those unable to upgrade, it is recommended to revert to the previous method of detecting absolute URLs using the pattern: if (new URL(path, 'http://localhost').origin !== 'http://localhost'). (GitHub Advisory)