CVE-2024-45597
📋 TL;DR
CVE-2024-45597 is an HTTP request injection vulnerability in Pluto (a Lua 5.4 superset) where user-controlled values passed to http.request headers can be exploited to send arbitrary HTTP requests. This could allow attackers to leverage authentication tokens present in the same headers table. Affected are Pluto applications that process untrusted input in HTTP request headers.
💻 Affected Systems
- Pluto programming language
📦 What is this software?
Pluto by Pluto Lang
⚠️ Risk & Real-World Impact
Worst Case
Attackers could perform server-side request forgery (SSRF), access internal services, exfiltrate data via authenticated requests, or chain with other vulnerabilities for lateral movement.
Likely Case
Unauthorized HTTP requests to internal or external systems using stolen authentication tokens from header values, potentially leading to data exposure or API abuse.
If Mitigated
Limited impact with proper input validation and header sanitization, restricting request destinations and token scope.
🎯 Exploit Status
Exploitation requires user input to reach vulnerable header parameters; no authentication needed if input is externally controllable.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in commit 6b8c5c3 (PR #945)
Vendor Advisory: https://github.com/PlutoLang/Pluto/security/advisories/GHSA-w8xp-pmx2-37w7
Restart Required: No
Instructions:
1. Update Pluto to a version including commit 6b8c5c3. 2. Rebuild or reinstall Pluto if using from source. 3. No application restart needed for language runtime updates.
🔧 Temporary Workarounds
Input Validation for Headers
allSanitize user input before passing to http.request headers by validating against allowlists or stripping dangerous characters.
-- Example Lua/Pluto code: local safe_header = string.gsub(user_input, "[^a-zA-Z0-9-]", "")
Restrict HTTP Request Destinations
allImplement network controls to limit outbound HTTP requests from Pluto applications to trusted domains/IPs only.
🧯 If You Can't Patch
- Implement strict input validation on all user-controlled data passed to HTTP headers, rejecting or sanitizing unexpected values.
- Use network segmentation to restrict Pluto applications from making unauthorized outbound requests, and monitor for anomalous HTTP traffic.
🔍 How to Verify
Check if Vulnerable:
Review Pluto scripts for http.request calls with user-controlled header values; check Pluto version against commit 6b8c5c3.Check Version:
pluto --version or check git log for commit 6b8c5c3 in the Pluto repository.Verify Fix Applied:
Ensure Pluto is updated to include commit 6b8c5c3; test with a proof-of-concept using malicious header input to confirm no injection occurs.📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP requests from Pluto applications, especially to unexpected domains or with anomalous headers.
Network Indicators:
- Outbound HTTP traffic from Pluto processes to unauthorized or internal IPs, or with injected header patterns.
SIEM Query:
source="pluto" AND (http_request OR outbound_traffic) AND (header_injection OR ssrf_patterns)