How the Vulnerability Works
The CVE-2023-XXXX vulnerability in Vercel Flags SDK (versions ≤3.2.0 and @vercel/flags ≤3.1.1) allows unauthorized access to sensitive feature flag data via the flags discovery endpoint (.well-known/vercel/flags). Attackers can send crafted HTTP requests to this endpoint, bypassing access controls due to insufficient validation in the `verifyAccess` function. This exposes flag names, descriptions, available options (e.g., true/false), and default values. While no write access or customer data is leaked, the disclosure of feature flags can aid attackers in reconnaissance for further exploits. Vercel mitigated this by blocking the default endpoint and patching `verifyAccess` in [email protected].
DailyCVE Form
Platform: Vercel Flags SDK
Version: ≤3.2.0, ≤3.1.1
Vulnerability: Information Disclosure
Severity: Medium
Date: 2023-XX-XX
What Undercode Say:
Exploitation:
1. Endpoint Enumeration:
curl -X GET https://target.com/.well-known/vercel/flags
If unpatched, returns JSON with flag metadata.
2. Custom Path Detection:
ffuf -u "https://target.com/FUZZ" -w common_paths.txt -mc 200
Mitigation:
1. Upgrade:
npm install [email protected]
2. WAF Rule (Cloudflare):
{
"description": "Block Flags Endpoint",
"action": "block",
"expression": "http.request.uri.path contains '/.well-known/vercel/flags'"
}
3. Temporary NGINX Block:
location ~ /.well-known/vercel/flags {
deny all;
return 403;
}
4. Verification Post-Upgrade:
npm list flags
Ensure output shows `[email protected]`.
5. Automated Scanning:
import requests
response = requests.get("https://target.com/.well-known/vercel/flags")
assert response.status_code == 403, "Vulnerable!"
Detection:
- Log Monitoring:
grep "GET /.well-known/vercel/flags" access.log
- Patch Validation:
const { verifyAccess } = require('flags'); console.assert(verifyAccess.toString().includes('strict checks'), "Unpatched!");
References:
- Vercel Advisory: [bash]
- CVE Details: [bash]
- Upgrade Guide: [bash]
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
