Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
🐹 Go

GHSA-w5wx-6g2r-r78q

HIGH

Nuclei allows unsigned code template execution through workflows

Also known asCVE-2024-27920GO-2024-2645
Published
Mar 15, 2024
Updated
Aug 20, 2024
Affected
1 pkg
Patched
1 / 1
Exploits
None indexed

EPSS Exploitation Probability

via FIRST.org ↗
0.4%probability of exploitation in next 30 days
Lower Risk33th percentile+0.05%
0.00%0.30%0.61%0.91%0.1%0.4%Dec 25Apr 26Jun 26

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected
🐹github.com/projectdiscovery/nuclei/v3

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.

Description

Overview

A significant security oversight was identified in Nuclei v3, involving the execution of unsigned code templates through workflows. This vulnerability specifically affects users utilizing custom workflows, potentially allowing the execution of malicious code on the user's system. This advisory outlines the impacted users, provides details on the security patch, and suggests mitigation strategies.

Affected Users

  1. CLI Users: Those executing custom workflows from untrusted sources. This includes workflows authored by third parties or obtained from unverified repositories.
  2. SDK Users: Developers integrating Nuclei into their platforms, particularly if they permit the execution of custom workflows by end-users.

Security Patch

The vulnerability is addressed in Nuclei v3.2.0. Users are strongly recommended to update to this version to mitigate the security risk.

Mitigation

  • Immediate Upgrade: The primary recommendation is to upgrade to Nuclei v3.2.0, where the vulnerability has been patched.
  • Avoid Untrusted Workflows: As an interim measure, users should refrain from using custom workflows if unable to upgrade immediately. Only trusted, verified workflows should be executed.

Details

The vulnerability stems from an oversight in the workflow execution mechanism, where unsigned code templates could be executed, bypassing the security measures intended to authenticate the integrity and source of the templates. This issue is isolated to workflow executions and does not affect direct template executions.

Workarounds

The only effective workaround, aside from upgrading, is to avoid the use of custom workflows altogether. This approach limits functionality but ensures security until the upgrade can be performed.

Acknowledgements

We extend our sincere gratitude to @gpc1996 for their diligence in identifying and reporting this vulnerability.

References

Affected Packages

1 total 1 fixed
EcosystemPackageVulnerable rangeFix
🐹Gogithub.com/projectdiscovery/nuclei/v33.0.0&&< 3.2.03.2.0

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/projectdiscovery/nuclei/v3. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update github.com/projectdiscovery/nuclei/v3 to 3.2.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-w5wx-6g2r-r78q is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-w5wx-6g2r-r78q is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-w5wx-6g2r-r78q. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Overview A significant security oversight was identified in Nuclei v3, involving the execution of unsigned code templates through workflows. This vulnerability specifically affects users utilizing custom workflows, potentially allowing the execution of malicious code on the user's system. This advisory outlines the impacted users, provides details on the security patch, and suggests mitigation strategies. ### Affected Users 1. **CLI Users:** Those executing custom workflows from untrusted sources. This includes workflows authored by third parties or obtained from unverified repositories.
O3 Security · Impact-Aware SCA

Is GHSA-w5wx-6g2r-r78q in your dependencies?

O3 detects GHSA-w5wx-6g2r-r78q across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works