projectdiscovery/nuclei v3.8.0

on GitHub

What's Changed

Security Fixes

• JS: Respect allow-local-file-access in require by @dwisiswant0 (#7332)
  • GHSA-29rg-wmcw-hpf4
• Expressions: Only evaluate template-authored expressions by @dwisiswant0 (#7221)(#7321)
  • GHSA-jm34-66cf-qpvr

Bug Fixes

• HTTP: Respect annotations in unsafe mode by @dwisiswant0 (#7044)
• HTTP: Isolate project cache keys by scheme & host by @dwisiswant0 (#7043)
• Expressions: Propagate unresolved variable markers through encoding functions by @dogancanbakir (#7033)
• SDK: Respect WithOptions rate limit by @dwisiswant0 (#7342)
• Fuzz: Prevent path mutation across sequential Rebuild calls by @promisingcoder (#7253)
• Fuzz: Use actual parameter for frequency deduplication by @Godzilla675 (#7037)
• Fuzz: Fix concurrent map writes in multipart form parsing by @Mzack9999 (#7291)
• Fuzz: Propagate custom headers to time_delay analyzer follow-up requests by @usernametooshort (#7125)
• JS: Fix watchdog and propagate context to all JS library network calls by @Mzack9999 (#7299)
• JS: Interrupt goja runtime on context cancel by @mikhail5555 (#7343)
• WebSocket: Fix path handling when merging template & target URLs by @Mzack9999 (#7290)
• Runner: Stop spawning template goroutines in host-spray when host is unresponsive by @usernametooshort (#7129)
• Input: Optimize removeTargets to prevent hang on large exclusions by @JawsKim (#6760)
• Installer: Prevent unnecessary update checks by @dahezhiquan (#7337)
• Utils: Normalize unbracketed IPv6 literals for probing by @dwisiswant0 (#7045)
• Client pool: Replace global variable with local scoping by @mikhail5555 (#7294)
• Fix InFlight map race condition via Snapshot method by @n3integration (#7026)
• Fix race condition in Dynamic.Fetch and always prefetch secrets by @hussain-alsaibai (#6976)
• Fix nil interface set in createEphemeralObjects to prevent panic by @maxwolf8852 (#6944)
• Fix DAST skipping URLs with part: request and mode: multiple by @dogancanbakir (#7326)
• Fix headless JS loading with -tlsi and addheader/setheader by @dogancanbakir (#7325)
• Fix flow execution with auth by @Mzack9999 (#7298)
• Fix redirect handling by @Mzack9999 (#7286)
• Fix Elastic export by @Mzack9999 (#7287)
• Use crypto/rand instead of math/rand in JS global functions by @sandiyochristan (#7215)

New Features

• Fuzz: Add XSS reflection context analyzer by @ZachL111 (#7164)
• Reporting: Add PDF export option for scan results by @Gengyscan (#7254)
• Network templates: Support service names in port field by @dogancanbakir (#7303)
• Add honeypot detection to reduce scan noise by @HarshadaGawas05 (#7277)
• Add inline targets and secrets to template profiles by @SaurabhCodesAI (#6858)

Performance & Improvements

• Runner: Fast path for tag listing by @dwisiswant0 (#7143)
• Runner: Use Print instead for listAvailableStoreTags by @dwisiswant0 (#7145)
• Resume state: Refactored as cache data by @dwisiswant0 (#7042)
• Capture stderr output by @Mzack9999 (#7292)

Tests & CI

• Add fuzz tests by @dwisiswant0 (#7311)
• Add request condition tests for multi-raw-request flow templates by @Mzack9999 (#7300)
• Refactor native tests by @dwisiswant0 (#7307)
• Add GITHUB_TOKEN to workflows for authenticated template updates by @dwisiswant0 (#7119)
• Integrate typos spell checker into CI by @telewin95 (#7158)

Documentation

• Update outdated documentation links across all translations by @Pitrat-wav (#7020)

New Contributors

• @usernametooshort made their first contribution in #7129
• @Pitrat-wav made their first contribution in #7020
• @n3integration made their first contribution in #7026
• @JawsKim made their first contribution in #6760
• @sandiyochristan made their first contribution in #7215
• @telewin95 made their first contribution in #7158
• @Gengyscan made their first contribution in #7254
• @hussain-alsaibai made their first contribution in #6976
• @promisingcoder made their first contribution in #7253
• @Godzilla675 made their first contribution in #7037
• @SaurabhCodesAI made their first contribution in #6858
• @ZachL111 made their first contribution in #7164
• @HarshadaGawas05 made their first contribution in #7277
• @mikelolasagasti made their first contribution in #7282
• @maxwolf8852 made their first contribution in #6944
• @mikhail5555 made their first contribution in #7294
• @dahezhiquan made their first contribution in #7337

Full Changelog: v3.7.1...v3.8.0