CVE-2024-43405: 
NixOS vulnerability analysis and mitigation

A high-severity vulnerability (CVE-2024-43405) was discovered in Nuclei, a widely-used open-source vulnerability scanner with over 21,000 GitHub stars and 2.1 million downloads. The vulnerability affects versions from 3.0.0 to 3.3.1 and was identified in the template signature verification system. The flaw was discovered by Wiz's engineering team and was patched in version 3.3.2, released in September 2024 (Wiz Blog, GitHub Advisory).

The vulnerability stems from a discrepancy between how the signature verification process and the YAML parser handle newline characters, specifically in the signer package. The issue arises from the mismatch between Go's regex-based signature verification, which treats \r as part of the same line, while the YAML parser interprets it as a line break. The vulnerability carries a CVSS score of 7.8 (HIGH) according to NVD, with a vector string of CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD, SecurityWeek).

The vulnerability could allow attackers to bypass the signature check and execute malicious code via custom code templates. This is particularly concerning for organizations running untrusted or community-contributed templates without proper validation or isolation. The impact extends to both CLI users executing custom code templates from unverified sources and SDK users integrating Nuclei into their platforms, especially if they permit end-users to execute custom code templates (GitHub Advisory).

The primary mitigation is to upgrade to Nuclei version 3.3.2 or newer, which contains the patch for this vulnerability. For users unable to upgrade immediately, it is recommended to disable running custom code templates and refrain from using custom templates. Organizations should also ensure Nuclei is run in a sandboxed or highly isolated environment to prevent potential exploitation of untrusted templates (GitHub Advisory).