Login Sign Up

CVE-2024-37304

6.1 MEDIUM
Cross-Site Scripting

📋 TL;DR

NuGet Gallery has a cross-site scripting vulnerability where autolinks in Markdown content are not properly sanitized. Attackers can inject malicious JavaScript via autolinks like <javascript:alert(1)>, which executes when users view the content. This affects all NuGet Gallery instances running versions before 2024.05.28.

💻 Affected Systems

Products:
  • NuGet Gallery
Versions: All versions before 2024.05.28
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects any NuGet Gallery instance where users can submit Markdown content with autolinks.

📦 What is this software?

Nugetgallery by Microsoft

View all CVEs affecting Nugetgallery →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, deface pages, or redirect users to malicious sites.

🟠

Likely Case

Attackers inject malicious scripts to steal user credentials or session tokens from authenticated users viewing package descriptions.

🟢

If Mitigated

With proper input validation and output encoding, the malicious scripts would be rendered harmless as text.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires ability to submit Markdown content (typically authenticated users). The vulnerability is well-documented with example payloads in the advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2024.05.28

Vendor Advisory: https://github.com/NuGet/NuGetGallery/security/advisories/GHSA-gwjh-c548-f787

Restart Required: Yes

Instructions:

1. Update NuGet Gallery to version 2024.05.28 or later. 2. Restart the application. 3. Verify the fix by checking the version and testing autolink sanitization.

🔧 Temporary Workarounds

Disable Markdown autolinks

all

Configure NuGet Gallery to disable or restrict Markdown autolink processing.

Implement WAF rules

all

Add web application firewall rules to block JavaScript protocol in autolinks.

🧯 If You Can't Patch

  • Implement strict Content Security Policy (CSP) headers to prevent script execution
  • Enable input validation to reject Markdown containing JavaScript protocol in autolinks

🔍 How to Verify

Check if Vulnerable:

Test by creating a package description with <javascript:alert('test')> and checking if script executes.

Check Version:

Check NuGet Gallery version in admin interface or application configuration.

Verify Fix Applied:

After patching, test the same payload - it should be rendered as plain text or sanitized.

📡 Detection & Monitoring

Log Indicators:

  • Unusual Markdown submissions containing JavaScript protocol
  • Multiple failed autolink validation attempts

Network Indicators:

  • HTTP requests with JavaScript payloads in Markdown parameters

SIEM Query:

search 'javascript:' in request_body AND path contains '/api/v2/package' OR '/packages'

📊 Metadata

CVE ID: CVE-2024-37304
CVSS v3 Score: 6.1 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Published: June 12, 2024
Last Updated: September 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-37304, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)