npm package
nuxt
pkg:npm/nuxt
Vulnerabilities (7)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-53722 | Med | 5.4 | >= 4.0.0, < 4.4.7 | 4.4.7 | Jun 12, 2026 | Nuxt is an open-source web development framework for Vue.js. Prior to versions 3.21.7 and 4.4.7, did not validate the URL scheme of values bound to its to or href props before rendering them into the href attribute of the underlying element. When an application bin | |
| CVE-2026-53721 | Hig | 8.2 | >= 4.0.0, < 4.4.7 | 4.4.7 | Jun 12, 2026 | Nuxt is an open-source web development framework for Vue.js. From versions 3.11.0 to before 3.21.7 and 4.0.0 to before 4.4.7, there is a route-rule middleware bypass via case-sensitivity mismatch between vue-router and the routeRules matcher. This issue has been patched in versio | |
| CVE-2025-59414 | — | >= 3.6.0, < 3.19.0 | 3.19.0 | Sep 17, 2025 | Nuxt is an open-source web development framework for Vue.js. Prior to 3.19.0 and 4.1.0, A client-side path traversal vulnerability in Nuxt's Island payload revival mechanism allowed attackers to manipulate client-side requests to different endpoints within the same application do | ||
| CVE-2025-27415 | — | >= 3.0.0, < 3.16.0 | 3.16.0 | Mar 19, 2025 | Nuxt is an open-source web development framework for Vue.js. Prior to 3.16.0, by sending a crafted HTTP request to a server behind an CDN, it is possible in some circumstances to poison the CDN cache and highly impacts the availability of a site. It is possible to craft a request | ||
| CVE-2024-34344 | — | >= 3.4.0, < 3.12.4 | 3.12.4 | Aug 5, 2024 | Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. Due to the insufficient validation of the `path` parameter in the NuxtTestComponentWrapper, an attacker can execute arbitrary JavaScript on the server side, which allows them | ||
| CVE-2024-34343 | — | < 3.12.4 | 3.12.4 | Aug 5, 2024 | Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. The `navigateTo` function attempts to blockthe `javascript:` protocol, but does not correctly use API's provided by `unjs/ufo`. This library also contains parsing discrepancie | ||
| CVE-2023-3224 | — | >= 3.4.0, < 3.4.3 | 3.4.3 | Jun 13, 2023 | Code Injection in GitHub repository nuxt/nuxt prior to 3.5.3. |
- affected >= 4.0.0, < 4.4.7fixed 4.4.7
Nuxt is an open-source web development framework for Vue.js. Prior to versions 3.21.7 and 4.4.7, did not validate the URL scheme of values bound to its to or href props before rendering them into the href attribute of the underlying element. When an application bin
- affected >= 4.0.0, < 4.4.7fixed 4.4.7
Nuxt is an open-source web development framework for Vue.js. From versions 3.11.0 to before 3.21.7 and 4.0.0 to before 4.4.7, there is a route-rule middleware bypass via case-sensitivity mismatch between vue-router and the routeRules matcher. This issue has been patched in versio
- CVE-2025-59414Sep 17, 2025affected >= 3.6.0, < 3.19.0fixed 3.19.0
Nuxt is an open-source web development framework for Vue.js. Prior to 3.19.0 and 4.1.0, A client-side path traversal vulnerability in Nuxt's Island payload revival mechanism allowed attackers to manipulate client-side requests to different endpoints within the same application do
- CVE-2025-27415Mar 19, 2025affected >= 3.0.0, < 3.16.0fixed 3.16.0
Nuxt is an open-source web development framework for Vue.js. Prior to 3.16.0, by sending a crafted HTTP request to a server behind an CDN, it is possible in some circumstances to poison the CDN cache and highly impacts the availability of a site. It is possible to craft a request
- CVE-2024-34344Aug 5, 2024affected >= 3.4.0, < 3.12.4fixed 3.12.4
Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. Due to the insufficient validation of the `path` parameter in the NuxtTestComponentWrapper, an attacker can execute arbitrary JavaScript on the server side, which allows them
- CVE-2024-34343Aug 5, 2024affected < 3.12.4fixed 3.12.4
Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. The `navigateTo` function attempts to blockthe `javascript:` protocol, but does not correctly use API's provided by `unjs/ufo`. This library also contains parsing discrepancie
- CVE-2023-3224Jun 13, 2023affected >= 3.4.0, < 3.4.3fixed 3.4.3
Code Injection in GitHub repository nuxt/nuxt prior to 3.5.3.