Login Sign Up

CVE-2021-21373

7.5 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability in Nimble package manager allows man-in-the-middle attackers to intercept package list downloads and inject malicious packages. When users install these packages, it leads to remote code execution. Affects Nim developers using Nimble before versions 1.2.10 or 1.4.4.

💻 Affected Systems

Products:
  • Nimble package manager
Versions: Nim versions before 1.2.10 and before 1.4.4
Operating Systems: All platforms running Nimble
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability triggers when 'nimble refresh' encounters HTTPS errors and falls back to HTTP.

📦 What is this software?

Nim by Nim Lang

View all CVEs affecting Nim →

Nim by Nim Lang

View all CVEs affecting Nim →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through malicious package installation leading to remote code execution, data theft, and persistent backdoors.

🟠

Likely Case

Attackers intercepting unencrypted package list downloads to inject malicious packages that get installed by developers.

🟢

If Mitigated

No impact if using patched versions or if network controls prevent HTTP fallback to untrusted sources.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Attack requires man-in-the-middle position on network traffic.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Nim 1.2.10 or 1.4.4

Vendor Advisory: https://github.com/nim-lang/security/security/advisories/GHSA-8w52-r35x-rgp8

Restart Required: No

Instructions:

1. Update Nim to version 1.2.10 or 1.4.4. 2. Run 'nimble refresh' to update package lists. 3. Verify no HTTP fallback occurs.

🔧 Temporary Workarounds

Disable HTTP fallback

all

Configure Nimble to never fall back to HTTP when HTTPS fails

export NIMBLE_NO_HTTP_FALLBACK=1

Use trusted package mirrors

all

Configure Nimble to use only trusted HTTPS package sources

nimble config set packageList "https://trusted-mirror.example.com/packages.json"

🧯 If You Can't Patch

  • Avoid using 'nimble refresh' on untrusted networks
  • Monitor network traffic for HTTP connections to irclogs.nim-lang.org

🔍 How to Verify

Check if Vulnerable:

Check Nim version with 'nim --version' and verify it's below 1.2.10 or 1.4.4

Check Version:

nim --version

Verify Fix Applied:

After update, run 'nimble refresh' and check network traffic shows only HTTPS connections

📡 Detection & Monitoring

Log Indicators:

  • HTTP connections to irclogs.nim-lang.org in network logs
  • Failed HTTPS attempts followed by HTTP fallback

Network Indicators:

  • Outbound HTTP traffic to port 80 of irclogs.nim-lang.org during nimble operations

SIEM Query:

destination_port:80 AND destination_ip:irclogs.nim-lang.org AND process_name:nimble

📊 Metadata

CVE ID: CVE-2021-21373
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L
CWE: CWE-348
Published: March 26, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21373, you might also want to check these:

CVE-2022-31813 9.8

This vulnerability in Apache HTTP Server allows attackers to bypass IP-based authentication by manip...

Same vulnerability type (CWE-348)
CVE-2024-27773 8.8

CVE-2024-27773 is a critical vulnerability in Unitronics Unistream Unilogic software that allows rem...

Same vulnerability type (CWE-348)
CVE-2025-55292 8.2

This vulnerability allows attackers to impersonate legitimate nodes in Meshtastic mesh networks by f...

Same vulnerability type (CWE-348)