VYPR
← All advisories
Moderate severityNVD Advisory· Published Jul 11, 2019· Updated Aug 4, 2024

CVE-2019-13506

CVE-2019-13506

Description

Nuxt.js serialization library @nuxt/devalue prior to 1.2.3 mishandles object keys, enabling cross-site scripting (XSS) attacks.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Nuxt.js serialization library @nuxt/devalue prior to 1.2.3 mishandles object keys, enabling cross-site scripting (XSS) attacks.

The vulnerability resides in the @nuxt/devalue library, which serializes JavaScript objects to a string representation. Prior to version 1.2.3, the library failed to properly sanitize object keys, allowing an attacker to inject malicious content. When the serialized output is later parsed and rendered in a browser, the injected keys can execute arbitrary HTML or JavaScript, leading to cross-site scripting (XSS) [1][4].

Exploitation requires the ability to supply user-controlled data that gets serialized by devalue and then rendered in a web page. An attacker can craft an object with keys containing HTML or script code, such as "" : "value". No authentication is needed if the application exposes an endpoint that accepts and serializes user input without proper validation. The attack surface is any Nuxt.js application using @nuxt/devalue (before Nuxt.js 2.6.2) to handle user-supplied data [1].

Successful exploitation results in XSS within the context of the affected web application, potentially allowing an attacker to perform actions on behalf of the victim user, steal session cookies, exfiltrate sensitive data, or deface the site. The severity is high because XSS can lead to full account compromise if the victim has administrative privileges [1].

The issue was addressed in @nuxt/devalue version 1.2.3, which is included in Nuxt.js version 2.6.2. Users should upgrade their dependencies to the patched versions. No workaround is available other than not using devalue to serialize untrusted input [2][3].

References
  1. NVD - CVE-2019-13506
  2. Comparing c0776eb...8d14cd4 · nuxt/nuxt
  3. chore(deps): update all non-major dependencies (#5529) · nuxt/nuxt@0d5dfe7
  4. Security: SafeKey XSS

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@nuxt/devaluenpm
< 1.2.31.2.3

Affected products

1

Patches

1
0d5dfe719171

chore(deps): update all non-major dependencies (#5529)

https://github.com/nuxt/nuxt.jsrenovate[bot]Apr 14, 2019via ghsa
commit
6 files changed · +29 24
  • package.json+1 1 modified
    @@ -47,7 +47,7 @@
     "eslint": "^5.16.0",
     "eslint-config-standard": "^12.0.0",
     "eslint-multiplexer": "^1.0.4",
-    "eslint-plugin-import": "^2.17.0",
+    "eslint-plugin-import": "^2.17.1",
     "eslint-plugin-jest": "^22.4.1",
     "eslint-plugin-node": "^8.0.1",
     "eslint-plugin-promise": "^4.1.1",
  • packages/builder/package.json+2 2 modified
    @@ -8,15 +8,15 @@
   ],
   "main": "dist/builder.js",
   "dependencies": {
-    "@nuxt/devalue": "^1.2.2",
+    "@nuxt/devalue": "^1.2.3",
     "@nuxt/utils": "2.6.1",
     "@nuxt/vue-app": "2.6.1",
     "chokidar": "^2.1.5",
     "consola": "^2.6.0",
     "fs-extra": "^7.0.1",
     "glob": "^7.1.3",
     "hash-sum": "^1.0.2",
-    "ignore": "^5.0.6",
+    "ignore": "^5.1.0",
     "lodash": "^4.17.11",
     "pify": "^4.0.1",
     "semver": "^6.0.0",
  • packages/core/package.json+1 1 modified
    @@ -9,7 +9,7 @@
   "main": "dist/core.js",
   "dependencies": {
     "@nuxt/config": "2.6.1",
-    "@nuxt/devalue": "^1.2.2",
+    "@nuxt/devalue": "^1.2.3",
     "@nuxt/server": "2.6.1",
     "@nuxt/utils": "2.6.1",
     "@nuxt/vue-renderer": "2.6.1",
  • packages/vue-renderer/package.json+1 1 modified
    @@ -8,7 +8,7 @@
   ],
   "main": "dist/vue-renderer.js",
   "dependencies": {
-    "@nuxt/devalue": "^1.2.2",
+    "@nuxt/devalue": "^1.2.3",
     "@nuxt/utils": "2.6.1",
     "consola": "^2.6.0",
     "fs-extra": "^7.0.1",
  • packages/webpack/package.json+1 1 modified
    @@ -20,7 +20,7 @@
     "css-loader": "^2.1.1",
     "cssnano": "^4.1.10",
     "eventsource-polyfill": "^0.9.6",
-    "extract-css-chunks-webpack-plugin": "^4.3.0",
+    "extract-css-chunks-webpack-plugin": "^4.3.1",
     "file-loader": "^3.0.1",
     "fs-extra": "^7.0.1",
     "glob": "^7.1.3",
  • yarn.lock+23 18 modified
    @@ -1476,10 +1476,10 @@
   resolved "https://registry.npmjs.org/@nodelib/fs.stat/-/fs.stat-1.1.3.tgz#2b5a3ab3f918cca48a8c754c08168e3f03eba61b"
   integrity sha512-shAmDyaQC4H92APFoIaVDHCx5bStIocgvbwQyxPRrbUY20V1EYTbSDchWbuwlMG3V17cprZhA6+78JfB+3DTPw==
 
-"@nuxt/devalue@^1.2.2":
-  version "1.2.2"
-  resolved "https://registry.npmjs.org/@nuxt/devalue/-/devalue-1.2.2.tgz#1d7993f9a6029df07f597a20246b16282302b156"
-  integrity sha512-T3S20YKOG0bzhvFRuGWqXLjqnwTczvRns5BgzHKRosijWHjl6tOpWCIr+2PFC5YQ3gTE4c5ZOLG5wOEcMLvn1w==
+"@nuxt/devalue@^1.2.3":
+  version "1.2.3"
+  resolved "https://registry.npmjs.org/@nuxt/devalue/-/devalue-1.2.3.tgz#0a814d7e10519ffcb1a2a9930add831f91783092"
+  integrity sha512-iA25xn409pguKhJwfNKQNCzWDZS44yhLcuVPpfy2CQ4xMqrJRpBxePTpkdCRxf7/m66M3rmCgkDZlvex4ygc6w==
   dependencies:
     consola "^2.5.6"
 
@@ -4364,10 +4364,10 @@ eslint-import-resolver-node@^0.3.2:
     debug "^2.6.9"
     resolve "^1.5.0"
 
-eslint-module-utils@^2.3.0:
-  version "2.3.0"
-  resolved "https://registry.npmjs.org/eslint-module-utils/-/eslint-module-utils-2.3.0.tgz#546178dab5e046c8b562bbb50705e2456d7bda49"
-  integrity sha512-lmDJgeOOjk8hObTysjqH7wyMi+nsHwwvfBykwfhjR1LNdd7C2uFJBvx4OpWYpXOw4df1yE1cDEVd1yLHitk34w==
+eslint-module-utils@^2.4.0:
+  version "2.4.0"
+  resolved "https://registry.npmjs.org/eslint-module-utils/-/eslint-module-utils-2.4.0.tgz#8b93499e9b00eab80ccb6614e69f03678e84e09a"
+  integrity sha512-14tltLm38Eu3zS+mt0KvILC3q8jyIAH518MlG+HO0p+yK885Lb1UHTY/UgR91eOyGdmxAPb+OLoW4znqIT6Ndw==
   dependencies:
     debug "^2.6.8"
     pkg-dir "^2.0.0"
@@ -4389,17 +4389,17 @@ eslint-plugin-es@^1.3.1:
     eslint-utils "^1.3.0"
     regexpp "^2.0.1"
 
-eslint-plugin-import@^2.17.0:
-  version "2.17.0"
-  resolved "https://registry.npmjs.org/eslint-plugin-import/-/eslint-plugin-import-2.17.0.tgz#bdf6598aded839a27454d824b0758fd46f80eb72"
-  integrity sha512-JCsOtNwPYUoeZPlSr8t0+uCU5OVlHh+dIBn8Rw7FiOPjCECG+QzDIKDqshbyJE6CYoj9wpcstEl8vUY7rXkqVA==
+eslint-plugin-import@^2.17.1:
+  version "2.17.1"
+  resolved "https://registry.npmjs.org/eslint-plugin-import/-/eslint-plugin-import-2.17.1.tgz#b888feb4d9b3ee155113c8dccdd4bec5db33bdf4"
+  integrity sha512-lzD9uvRvW4MsHzIOMJEDSb5MOV9LzgxRPBaovvOhJqzgxRHYfGy9QOrMuwHIh5ehKFJ7Z3DcrcGKDQ0IbP0EdQ==
   dependencies:
     array-includes "^3.0.3"
     contains-path "^0.1.0"
     debug "^2.6.9"
     doctrine "1.5.0"
     eslint-import-resolver-node "^0.3.2"
-    eslint-module-utils "^2.3.0"
+    eslint-module-utils "^2.4.0"
     has "^1.0.3"
     lodash "^4.17.11"
     minimatch "^3.0.4"
@@ -4733,10 +4733,10 @@ extglob@^2.0.4:
     snapdragon "^0.8.1"
     to-regex "^3.0.1"
 
-extract-css-chunks-webpack-plugin@^4.3.0:
-  version "4.3.0"
-  resolved "https://registry.npmjs.org/extract-css-chunks-webpack-plugin/-/extract-css-chunks-webpack-plugin-4.3.0.tgz#01fb5ea225a78d5bd51e29b191dc1248ab320957"
-  integrity sha512-U2mCuqF9JKmyQydQQUy+tsCVCeuysgIZNZHd0eeTgIgq6gSqCnS9eaCpknyLVl3aRr8y2gkvRPzpuHS7AdvK0Q==
+extract-css-chunks-webpack-plugin@^4.3.1:
+  version "4.3.1"
+  resolved "https://registry.npmjs.org/extract-css-chunks-webpack-plugin/-/extract-css-chunks-webpack-plugin-4.3.1.tgz#da947a26062f985aa47aafffce1d3f56f923f9f2"
+  integrity sha512-dSzNLh4UueMcJAA/L2CX+7l3ntpOnpvoDxD2gfHVsf8e1ZwOXI+r4QoFFNwCSblAR1MmK485VMqswpEtzW6wYQ==
   dependencies:
     loader-utils "^1.1.0"
     lodash "^4.17.11"
@@ -5589,11 +5589,16 @@ ignore@^4.0.6:
   resolved "https://registry.npmjs.org/ignore/-/ignore-4.0.6.tgz#750e3db5862087b4737ebac8207ffd1ef27b25fc"
   integrity sha512-cyFDKrqc/YdcWFniJhzI42+AzS+gNwmUzOSFcRCQYwySuBBBy/KjuxWLZ/FHEH6Moq1NizMOBWyTcv8O4OZIMg==
 
-ignore@^5.0.2, ignore@^5.0.6:
+ignore@^5.0.2:
   version "5.0.6"
   resolved "https://registry.npmjs.org/ignore/-/ignore-5.0.6.tgz#562dacc7ec27d672dde433aa683c543b24c17694"
   integrity sha512-/+hp3kUf/Csa32ktIaj0OlRqQxrgs30n62M90UBpNd9k+ENEch5S+hmbW3DtcJGz3sYFTh4F3A6fQ0q7KWsp4w==
 
+ignore@^5.1.0:
+  version "5.1.0"
+  resolved "https://registry.npmjs.org/ignore/-/ignore-5.1.0.tgz#a949efb645e5d67fd78e46f470bee6b8c5d862f9"
+  integrity sha512-dJEmMwloo0gq40chdtDmE4tMp67ZGwN7MFTgjNqWi2VHEi5Ya6JkuvPWasjcAIm7lg+2if8xxn5R199wspcplg==
+
 import-cwd@^2.0.0:
   version "2.1.0"
   resolved "https://registry.npmjs.org/import-cwd/-/import-cwd-2.1.0.tgz#aa6cf36e722761285cb371ec6519f53e2435b0a9"

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.