Nuclei v3.8.0 Fix: Env Var Disclosure via Response-Derived DSL Expressions

Vulnerability Overview Title: Environment variable disclosure via Response-Derived DSL Expressions Published by: ehsandeep Published Date: 2 days ago Severity: Moderate (5.3 / 10) Description: A vulnerability in Nuclei’s expression evaluation engine allows malicious target servers to inject and execute supported DSL expressions. This occurs when HTTP response data containing helper/function syntax is reused across multi-step templates. If the / option is enabled, this may lead to exposure of host environment variables. By default, standard configurations are not affected by this information leakage risk. CVSS v3 Base Metrics: Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: None Availability: None Impact Scope Affected Components: located in Unresolved variable validation path ( ) Affected Users: CLI users running multi-step templates (including extractors or flow-based request chaining) that resolve response-derived values against untrusted or attacker-controlled targets with the flag enabled. SDK users who have integrated Nuclei into platforms where is set to and scan targets are not fully trusted. Vulnerability Details: first replaces placeholders, then scans the replaced output for expressions. Due to this two-pass approach, response-derived values (including extractor outputs and response body content) can be reinterpreted as DSL/helper syntax in the second pass. When ( ) is enabled, environment variables are merged into the template variable map. A malicious target can return response data containing expressions such as , which, when reused in subsequent request templates, will resolve to actual environment variable values. This may expose sensitive host data such as API keys, credentials, and tokens. Even if is not enabled (default), injected DSL expressions may still trigger helper functions (e.g., ), but this has no meaningful security impact beyond unintended behavior. There is also a separate issue in : when deciding whether to include containing unresolved variables, helper expressions are being evaluated, causing the validation logic to run side-effectful helpers even though the final request retains the value as a literal. Remediation Patches: The vulnerability has been fixed in Nuclei v3.8.0. Upgrading to this version is strongly recommended. Related fix references: #7221, #7321 Mitigation: Upgrade to Nuclei v3.8.0. The updated evaluation logic now collects expressions from the original template text before placeholder substitution and only evaluates those expressions written by the template author. If you have enabled , disable it when scanning untrusted targets to avoid environment variable leakage. Workarounds: If upgrading is temporarily not possible, ensure that / is not enabled when running multi-step templates against untrusted targets. Acknowledgments: Thanks to @gnuletik for responsibly disclosing this issue to security@projectdiscovery.io.

Goal Reached Thanks to every supporter — we hit 100%!

Nuclei v3.8.0 Fix: Env Var Disclosure via Response-Derived DSL Expressions

More from this source