CVE-2024-47604 in NuGet
Summary
by MITRE • 10/01/2024
NuGet Gallery is a package repository that powers nuget.org. The NuGetGallery has a security vulnerability in its handling of HTML element attributes, which allows an attacker to execute arbitrary HTML or Javascript code in a victim's browser.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/09/2025
The vulnerability identified as CVE-2024-47604 affects the NuGet Gallery package repository system that serves as the primary infrastructure for nuget.org. This security flaw resides in the HTML element attribute handling mechanisms within the NuGet Gallery application, representing a critical cross-site scripting vulnerability that undermines the security posture of the entire package distribution ecosystem. The vulnerability stems from insufficient input validation and sanitization of HTML attributes that are processed during package metadata rendering, creating an attack surface where malicious actors can inject harmful content into the application's output.
This flaw operates through improper sanitization of HTML attributes that are accepted from package authors during the submission process. When the NuGet Gallery renders package information in its web interface, it processes various HTML elements and their attributes without adequate filtering, allowing attackers to embed malicious JavaScript code or HTML content within package descriptions, readme files, or other user-generated content fields. The vulnerability specifically targets the application's HTML attribute parsing logic, where certain attributes such as onclick, onerror, or href with javascript protocols can be exploited to execute arbitrary code in the context of a victim's browser session.
The operational impact of this vulnerability extends beyond simple code execution, as it can lead to full session hijacking, credential theft, and data exfiltration from users interacting with compromised package information. Attackers can craft malicious package metadata that, when viewed by users, triggers malicious JavaScript execution in their browsers, potentially leading to account takeovers, privilege escalation, or the compromise of sensitive development environments. The vulnerability affects all users who access package information through the NuGet Gallery web interface, making it particularly dangerous given the widespread use of NuGet packages in .NET development environments. This represents a significant risk to the software supply chain security, as compromised packages can affect thousands of downstream projects and developers.
The technical exploitation of this vulnerability aligns with CWE-79 which describes Cross-Site Scripting vulnerabilities, and follows patterns consistent with ATT&CK technique T1584.001 related to Establishing Command and Control Channels through compromised software repositories. Organizations should implement immediate mitigations including comprehensive HTML attribute filtering, input sanitization of all user-generated content, and deployment of Content Security Policy headers to limit script execution capabilities. Additionally, the NuGet Gallery should enforce strict validation of HTML attributes during package submission, implement automatic scanning of package metadata for malicious patterns, and consider adopting a whitelist approach for permitted HTML elements and attributes. Regular security audits and penetration testing of the package repository infrastructure should be conducted to identify similar vulnerabilities and maintain robust security controls. The vulnerability underscores the critical importance of secure input handling in package repositories and the need for comprehensive security measures to protect the integrity of software distribution channels.