Search criteria
28 vulnerabilities found for nuxt by nuxt
FKIE_CVE-2025-59414
Vulnerability from fkie_nvd - Published: 2025-09-17 19:15 - Updated: 2025-12-03 18:47
Severity ?
3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Summary
Nuxt is an open-source web development framework for Vue.js. Prior to 3.19.0 and 4.1.0, A client-side path traversal vulnerability in Nuxt's Island payload revival mechanism allowed attackers to manipulate client-side requests to different endpoints within the same application domain when specific prerendering conditions are met. The vulnerability occurs in the client-side payload revival process (revive-payload.client.ts) where Nuxt Islands are automatically fetched when encountering serialized __nuxt_island objects. During prerendering, if an API endpoint returns user-controlled data containing a crafted __nuxt_island object, he data gets serialized with devalue.stringify and stored in the prerendered page. When a client navigates to the prerendered page, devalue.parse deserializes the payload. The Island reviver attempts to fetch /__nuxt_island/${key}.json where key could contain path traversal sequences. Update to Nuxt 3.19.0+ or 4.1.0+.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nuxt:nuxt:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1A93E3D1-3CAE-47EF-A52F-E77C13FAA56E",
"versionEndExcluding": "3.19.0",
"versionStartIncluding": "3.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nuxt:nuxt:*:*:*:*:*:*:*:*",
"matchCriteriaId": "48C5B681-0D99-46B1-A2FB-509870F61BD8",
"versionEndExcluding": "4.1.0",
"versionStartIncluding": "4.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Nuxt is an open-source web development framework for Vue.js. Prior to 3.19.0 and 4.1.0, A client-side path traversal vulnerability in Nuxt\u0027s Island payload revival mechanism allowed attackers to manipulate client-side requests to different endpoints within the same application domain when specific prerendering conditions are met. The vulnerability occurs in the client-side payload revival process (revive-payload.client.ts) where Nuxt Islands are automatically fetched when encountering serialized __nuxt_island objects. During prerendering, if an API endpoint returns user-controlled data containing a crafted __nuxt_island object, he data gets serialized with devalue.stringify and stored in the prerendered page. When a client navigates to the prerendered page, devalue.parse deserializes the payload. The Island reviver attempts to fetch /__nuxt_island/${key}.json where key could contain path traversal sequences. Update to Nuxt 3.19.0+ or 4.1.0+."
},
{
"lang": "es",
"value": "Nuxt es un framework de desarrollo web de c\u00f3digo abierto para Vue.js. Antes de las versiones 3.19.0 y 4.1.0, una vulnerabilidad de salto de ruta del lado del cliente en el mecanismo de reactivaci\u00f3n de carga \u00fatil de Nuxt Island permit\u00eda a los atacantes manipular solicitudes del lado del cliente a diferentes puntos finales dentro del mismo dominio de aplicaci\u00f3n cuando se cumplen condiciones espec\u00edficas de prerrenderizado. La vulnerabilidad ocurre en el proceso de reactivaci\u00f3n de carga \u00fatil del lado del cliente (revive-payload.client.ts) donde las Nuxt Islands se obtienen autom\u00e1ticamente al encontrar objetos __nuxt_island serializados. Durante el prerrenderizado, si un punto final de la API devuelve datos controlados por el usuario que contienen un objeto __nuxt_island manipulado, los datos se serializan con devalue.stringify y se almacenan en la p\u00e1gina prerrenderizada. Cuando un cliente navega a la p\u00e1gina prerrenderizada, devalue.parse deserializa la carga \u00fatil. El reactivador de Island intenta obtener /__nuxt_island/${key}.json donde key podr\u00eda contener secuencias de salto de ruta. Actualice a Nuxt 3.19.0+ o 4.1.0+."
}
],
"id": "CVE-2025-59414",
"lastModified": "2025-12-03T18:47:40.983",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-09-17T19:15:47.437",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/nuxt/nuxt/commit/2566d2046bccb158d98fb13e42ce4b2c33fb2595"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-p6jq-8vc4-79f6"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
FKIE_CVE-2025-27415
Vulnerability from fkie_nvd - Published: 2025-03-19 19:15 - Updated: 2025-12-03 18:44
Severity ?
Summary
Nuxt is an open-source web development framework for Vue.js. Prior to 3.16.0, by sending a crafted HTTP request to a server behind an CDN, it is possible in some circumstances to poison the CDN cache and highly impacts the availability of a site. It is possible to craft a request, such as https://mysite.com/?/_payload.json which will be rendered as JSON. If the CDN in front of a Nuxt site ignores the query string when determining whether to cache a route, then this JSON response could be served to future visitors to the site. An attacker can perform this attack to a vulnerable site in order to make a site unavailable indefinitely. It is also possible in the case where the cache will be reset to make a small script to send a request each X seconds (=caching duration) so that the cache is permanently poisoned making the site completely unavailable. This vulnerability is fixed in 3.16.0.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/nuxt/nuxt/security/advisories/GHSA-jvhm-gjrh-3h93 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nuxt:nuxt:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4D5003E3-17E0-4FD0-8449-637E21A366A2",
"versionEndExcluding": "3.16.0",
"versionStartIncluding": "3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Nuxt is an open-source web development framework for Vue.js. Prior to 3.16.0, by sending a crafted HTTP request to a server behind an CDN, it is possible in some circumstances to poison the CDN cache and highly impacts the availability of a site. It is possible to craft a request, such as https://mysite.com/?/_payload.json which will be rendered as JSON. If the CDN in front of a Nuxt site ignores the query string when determining whether to cache a route, then this JSON response could be served to future visitors to the site. An attacker can perform this attack to a vulnerable site in order to make a site unavailable indefinitely. It is also possible in the case where the cache will be reset to make a small script to send a request each X seconds (=caching duration) so that the cache is permanently poisoned making the site completely unavailable. This vulnerability is fixed in 3.16.0."
},
{
"lang": "es",
"value": "Nuxt es un framework de desarrollo web de c\u00f3digo abierto para Vue.js. Antes de la versi\u00f3n 3.16.0, al enviar una solicitud HTTP manipulada a un servidor tras una CDN, era posible, en ciertas circunstancias, contaminar la cach\u00e9 de la CDN, lo que afectaba gravemente la disponibilidad de un sitio. Es posible manipular una solicitud, como https://mysite.com/?/_payload.json, que se renderizar\u00eda como JSON. Si la CDN frente a un sitio Nuxt ignora la cadena de consulta al determinar si se debe almacenar en cach\u00e9 una ruta, esta respuesta JSON podr\u00eda enviarse a futuros visitantes del sitio. Un atacante puede realizar este ataque a un sitio vulnerable para inhabilitarlo indefinidamente. Tambi\u00e9n es posible, si se restablece la cach\u00e9, crear un peque\u00f1o script que env\u00ede una solicitud cada X segundos (= duraci\u00f3n de la cach\u00e9), de modo que la cach\u00e9 se inutilice permanentemente, dejando el sitio completamente indisponible. Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 3.16.0."
}
],
"id": "CVE-2025-27415",
"lastModified": "2025-12-03T18:44:15.927",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-03-19T19:15:47.257",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-jvhm-gjrh-3h93"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-349"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
FKIE_CVE-2024-34344
Vulnerability from fkie_nvd - Published: 2024-08-05 21:15 - Updated: 2024-09-19 20:58
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. Due to the insufficient validation of the `path` parameter in the NuxtTestComponentWrapper, an attacker can execute arbitrary JavaScript on the server side, which allows them to execute arbitrary commands. Users who open a malicious web page in the browser while running the test locally are affected by this vulnerability, which results in the remote code execution from the malicious web page. Since web pages can send requests to arbitrary addresses, a malicious web page can repeatedly try to exploit this vulnerability, which then triggers the exploit when the test server starts.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/nuxt/nuxt/security/advisories/GHSA-v784-fjjh-f8r4 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nuxt:nuxt:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2260958F-B727-4B00-8835-29448E791AF6",
"versionEndExcluding": "3.12.4",
"versionStartIncluding": "3.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. Due to the insufficient validation of the `path` parameter in the NuxtTestComponentWrapper, an attacker can execute arbitrary JavaScript on the server side, which allows them to execute arbitrary commands. Users who open a malicious web page in the browser while running the test locally are affected by this vulnerability, which results in the remote code execution from the malicious web page. Since web pages can send requests to arbitrary addresses, a malicious web page can repeatedly try to exploit this vulnerability, which then triggers the exploit when the test server starts."
},
{
"lang": "es",
"value": "Nuxt es un framework gratuito y de c\u00f3digo abierto para crear sitios web y aplicaciones web completos con Vue.js. Debido a la validaci\u00f3n insuficiente del par\u00e1metro `path` en NuxtTestComponentWrapper, un atacante puede ejecutar JavaScript arbitrario en el lado del servidor, lo que le permite ejecutar comandos arbitrarios. Los usuarios que abren una p\u00e1gina web maliciosa en el navegador mientras ejecutan la prueba localmente se ven afectados por esta vulnerabilidad, que resulta en la ejecuci\u00f3n remota de c\u00f3digo desde la p\u00e1gina web maliciosa. Dado que las p\u00e1ginas web pueden enviar solicitudes a direcciones arbitrarias, una p\u00e1gina web maliciosa puede intentar explotar esta vulnerabilidad repetidamente, lo que luego activa la vulnerabilidad cuando se inicia el servidor de prueba."
}
],
"id": "CVE-2024-34344",
"lastModified": "2024-09-19T20:58:01.827",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-08-05T21:15:38.457",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-v784-fjjh-f8r4"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-42352
Vulnerability from fkie_nvd - Published: 2024-08-05 21:15 - Updated: 2024-09-19 20:55
Severity ?
8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. `nuxt/icon` provides an API to allow client side icon lookup. This endpoint is at `/api/_nuxt_icon/[name]`. The proxied request path is improperly parsed, allowing an attacker to change the scheme and host of the request. This leads to SSRF, and could potentially lead to sensitive data exposure. The `new URL` constructor is used to parse the final path. This constructor can be passed a relative scheme or path in order to change the host the request is sent to. This constructor is also very tolerant of poorly formatted URLs. As a result we can pass a path prefixed with the string `http:`. This has the effect of changing the scheme to HTTP. We can then subsequently pass a new host, for example `http:127.0.0.1:8080`. This would allow us to send requests to a local server. This issue has been addressed in release version 1.4.5 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/nuxt/icon/security/advisories/GHSA-cxgv-px37-4mp2 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nuxt:nuxt:*:*:*:*:*:*:*:*",
"matchCriteriaId": "450FA494-54D1-4853-BA87-BAC6F4D749FE",
"versionEndExcluding": "1.4.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. `nuxt/icon` provides an API to allow client side icon lookup. This endpoint is at `/api/_nuxt_icon/[name]`. The proxied request path is improperly parsed, allowing an attacker to change the scheme and host of the request. This leads to SSRF, and could potentially lead to sensitive data exposure. The `new URL` constructor is used to parse the final path. This constructor can be passed a relative scheme or path in order to change the host the request is sent to. This constructor is also very tolerant of poorly formatted URLs. As a result we can pass a path prefixed with the string `http:`. This has the effect of changing the scheme to HTTP. We can then subsequently pass a new host, for example `http:127.0.0.1:8080`. This would allow us to send requests to a local server. This issue has been addressed in release version 1.4.5 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
},
{
"lang": "es",
"value": "Nuxt es un framework gratuito y de c\u00f3digo abierto para crear sitios web y aplicaciones web completos con Vue.js. `nuxt/icon` proporciona una API para permitir la b\u00fasqueda de iconos del lado del cliente. Este endpoint est\u00e1 en `/api/_nuxt_icon/[nombre]`. La ruta de la solicitud proxy se analiza incorrectamente, lo que permite a un atacante cambiar el esquema y el host de la solicitud. Esto conduce a la SSRF y potencialmente podr\u00eda provocar la exposici\u00f3n de datos confidenciales. El constructor \"nueva URL\" se utiliza para analizar la ruta final. A este constructor se le puede pasar un esquema o ruta relativa para cambiar el host al que se env\u00eda la solicitud. Este constructor tambi\u00e9n es muy tolerante con las URL mal formateadas. Como resultado, podemos pasar una ruta con el prefijo `http:`. Esto tiene el efecto de cambiar el esquema a HTTP. Luego podemos pasar un nuevo host, por ejemplo `http:127.0.0.1:8080`. Esto nos permitir\u00eda enviar solicitudes a un servidor local. Este problema se solucion\u00f3 en la versi\u00f3n 1.4.5 y se recomienda a todos los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."
}
],
"id": "CVE-2024-42352",
"lastModified": "2024-09-19T20:55:46.543",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 4.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-08-05T21:15:38.913",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/nuxt/icon/security/advisories/GHSA-cxgv-px37-4mp2"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-34343
Vulnerability from fkie_nvd - Published: 2024-08-05 21:15 - Updated: 2024-09-19 19:57
Severity ?
6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. The `navigateTo` function attempts to blockthe `javascript:` protocol, but does not correctly use API's provided by `unjs/ufo`. This library also contains parsing discrepancies. The function first tests to see if the specified URL has a protocol. This uses the unjs/ufo package for URL parsing. This function works effectively, and returns true for a javascript: protocol. After this, the URL is parsed using the parseURL function. This function will refuse to parse poorly formatted URLs. Parsing javascript:alert(1) returns null/"" for all values. Next, the protocol of the URL is then checked using the isScriptProtocol function. This function simply checks the input against a list of protocols, and does not perform any parsing. The combination of refusing to parse poorly formatted URLs, and not performing additional parsing means that script checks fail as no protocol can be found. Even if a protocol was identified, whitespace is not stripped in the parseURL implementation, bypassing the isScriptProtocol checks. Certain special protocols are identified at the top of parseURL. Inserting a newline or tab into this sequence will block the special protocol check, and bypass the latter checks. This ONLY has impact after SSR has occured, the `javascript:` protocol within a location header does not trigger XSS. This issue has been addressed in release version 3.12.4 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/nuxt/nuxt/security/advisories/GHSA-vf6r-87q4-2vjf | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nuxt:nuxt:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BB92C785-9011-406E-A048-9FEC653045EC",
"versionEndExcluding": "3.12.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. The `navigateTo` function attempts to blockthe `javascript:` protocol, but does not correctly use API\u0027s provided by `unjs/ufo`. This library also contains parsing discrepancies. The function first tests to see if the specified URL has a protocol. This uses the unjs/ufo package for URL parsing. This function works effectively, and returns true for a javascript: protocol. After this, the URL is parsed using the parseURL function. This function will refuse to parse poorly formatted URLs. Parsing javascript:alert(1) returns null/\"\" for all values. Next, the protocol of the URL is then checked using the isScriptProtocol function. This function simply checks the input against a list of protocols, and does not perform any parsing. The combination of refusing to parse poorly formatted URLs, and not performing additional parsing means that script checks fail as no protocol can be found. Even if a protocol was identified, whitespace is not stripped in the parseURL implementation, bypassing the isScriptProtocol checks. Certain special protocols are identified at the top of parseURL. Inserting a newline or tab into this sequence will block the special protocol check, and bypass the latter checks. This ONLY has impact after SSR has occured, the `javascript:` protocol within a location header does not trigger XSS. This issue has been addressed in release version 3.12.4 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
},
{
"lang": "es",
"value": "Nuxt es un framework gratuito y de c\u00f3digo abierto para crear sitios web y aplicaciones web completos con Vue.js. La funci\u00f3n `navigateTo` intenta bloquear el protocolo `javascript:`, pero no utiliza correctamente las API proporcionadas por `unjs/ufo`. Esta biblioteca tambi\u00e9n contiene discrepancias en el an\u00e1lisis. La funci\u00f3n primero prueba para ver si la URL especificada tiene un protocolo. Esto utiliza el paquete unjs/ufo para el an\u00e1lisis de URL. Esta funci\u00f3n funciona de manera efectiva y devuelve verdadero para un protocolo javascript:. Despu\u00e9s de esto, la URL se analiza utilizando la funci\u00f3n parseURL. Esta funci\u00f3n se negar\u00e1 a analizar URL mal formateadas. El an\u00e1lisis de javascript:alert(1) devuelve null/\"\" para todos los valores. A continuaci\u00f3n, se verifica el protocolo de la URL utilizando la funci\u00f3n isScriptProtocol. Esta funci\u00f3n simplemente compara la entrada con una lista de protocolos y no realiza ning\u00fan an\u00e1lisis. La combinaci\u00f3n de negarse a analizar URL mal formateadas y no realizar an\u00e1lisis adicionales significa que las comprobaciones de secuencias de comandos fallan porque no se puede encontrar ning\u00fan protocolo. Incluso si se identific\u00f3 un protocolo, los espacios en blanco no se eliminan en la implementaci\u00f3n de parseURL, evitando las comprobaciones de isScriptProtocol. Ciertos protocolos especiales se identifican en la parte superior de parseURL. Insertar una nueva l\u00ednea o una pesta\u00f1a en esta secuencia bloquear\u00e1 la verificaci\u00f3n del protocolo especial y omitir\u00e1 las \u00faltimas comprobaciones. Esto S\u00d3LO tiene impacto despu\u00e9s de que se haya producido SSR, el protocolo `javascript:` dentro de un encabezado de ubicaci\u00f3n no activa XSS. Este problema se solucion\u00f3 en la versi\u00f3n 3.12.4 y se recomienda a todos los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."
}
],
"id": "CVE-2024-34343",
"lastModified": "2024-09-19T19:57:52.007",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-08-05T21:15:38.257",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-vf6r-87q4-2vjf"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-23657
Vulnerability from fkie_nvd - Published: 2024-08-05 21:15 - Updated: 2024-09-20 12:49
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. Nuxt Devtools is missing authentication on the `getTextAssetContent` RPC function which is vulnerable to path traversal. Combined with a lack of Origin checks on the WebSocket handler, an attacker is able to interact with a locally running devtools instance and exfiltrate data abusing this vulnerability. In certain configurations an attacker could leak the devtools authentication token and then abuse other RPC functions to achieve RCE. The `getTextAssetContent` function does not check for path traversals, this could allow an attacker to read arbitrary files over the RPC WebSocket. The WebSocket server does not check the origin of the request leading to cross-site-websocket-hijacking. This may be intentional to allow certain configurations to work correctly. Nuxt Devtools authentication tokens are placed within the home directory of the current user. The malicious webpage can connect to the Devtools WebSocket, perform a directory traversal brute force to find the authentication token, then use the *authenticated* `writeStaticAssets` function to create a new Component, Nitro Handler or `app.vue` file which will run automatically as the file is changed. This vulnerability has been addressed in release version 1.3.9. All users are advised to upgrade. There are no known workarounds for this vulnerability.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nuxt:nuxt:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D74FCC4E-3C6E-4A3E-87F1-F7D5875BA7D5",
"versionEndExcluding": "1.3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. Nuxt Devtools is missing authentication on the `getTextAssetContent` RPC function which is vulnerable to path traversal. Combined with a lack of Origin checks on the WebSocket handler, an attacker is able to interact with a locally running devtools instance and exfiltrate data abusing this vulnerability. In certain configurations an attacker could leak the devtools authentication token and then abuse other RPC functions to achieve RCE. The `getTextAssetContent` function does not check for path traversals, this could allow an attacker to read arbitrary files over the RPC WebSocket. The WebSocket server does not check the origin of the request leading to cross-site-websocket-hijacking. This may be intentional to allow certain configurations to work correctly. Nuxt Devtools authentication tokens are placed within the home directory of the current user. The malicious webpage can connect to the Devtools WebSocket, perform a directory traversal brute force to find the authentication token, then use the *authenticated* `writeStaticAssets` function to create a new Component, Nitro Handler or `app.vue` file which will run automatically as the file is changed. This vulnerability has been addressed in release version 1.3.9. All users are advised to upgrade. There are no known workarounds for this vulnerability."
},
{
"lang": "es",
"value": "Nuxt es un framework gratuito y de c\u00f3digo abierto para crear sitios web y aplicaciones web completos con Vue.js. A Nuxt Devtools le falta autenticaci\u00f3n en la funci\u00f3n RPC `getTextAssetContent`, que es vulnerable a path traversal. Combinado con la falta de comprobaciones de origen en el controlador WebSocket, un atacante puede interactuar con una instancia de devtools que se ejecuta localmente y extraer datos abusando de esta vulnerabilidad. En determinadas configuraciones, un atacante podr\u00eda filtrar el token de autenticaci\u00f3n de devtools y luego abusar de otras funciones RPC para lograr RCE. La funci\u00f3n `getTextAssetContent` no comprueba los path traversal, lo que podr\u00eda permitir a un atacante leer archivos arbitrarios a trav\u00e9s del RPC WebSocket. El servidor WebSocket no verifica el origen de la solicitud, lo que conduce al secuestro de websocket entre sitios. Esto puede ser intencionado para permitir que ciertas configuraciones funcionen correctamente. Los tokens de autenticaci\u00f3n de Nuxt Devtools se colocan dentro del directorio de inicio del usuario actual. La p\u00e1gina web maliciosa puede conectarse al WebSocket de Devtools, realizar un directory traversal por fuerza bruta para encontrar el token de autenticaci\u00f3n y luego usar la funci\u00f3n *autenticada* `writeStaticAssets` para crear un nuevo componente, Nitro Handler o archivo `app.vue` que se ejecutar\u00e1 autom\u00e1ticamente a medida que se cambia el archivo. Esta vulnerabilidad se solucion\u00f3 en la versi\u00f3n 1.3.9. Se recomienda a todos los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."
}
],
"id": "CVE-2024-23657",
"lastModified": "2024-09-20T12:49:35.743",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-08-05T21:15:37.880",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/nuxt/devtools/blob/c4f2b68281203fc3f61ffc97d9c6623fbfde46bb/packages/devtools/src/dev-auth.ts#L14"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/nuxt/devtools/blob/c4f2b68281203fc3f61ffc97d9c6623fbfde46bb/packages/devtools/src/server-rpc/assets.ts#L88C48-L88C48"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/nuxt/devtools/blob/c4f2b68281203fc3f61ffc97d9c6623fbfde46bb/packages/devtools/src/server-rpc/assets.ts#L96C11-L96C28"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/nuxt/devtools/blob/c4f2b68281203fc3f61ffc97d9c6623fbfde46bb/packages/devtools/src/server-rpc/index.ts#L109"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-rcvg-rgf7-pppv"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://portswigger.net/web-security/websockets/cross-site-websocket-hijacking"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
},
{
"lang": "en",
"value": "CWE-24"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2023-3224
Vulnerability from fkie_nvd - Published: 2023-06-13 18:15 - Updated: 2024-11-21 08:16
Severity ?
Summary
Code Injection in GitHub repository nuxt/nuxt prior to 3.5.3.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nuxt:nuxt:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9214BBA2-F8F7-4A82-B099-00D4FDEA1B76",
"versionEndExcluding": "3.4.3",
"versionStartIncluding": "3.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Code Injection in GitHub repository nuxt/nuxt prior to 3.5.3."
},
{
"lang": "es",
"value": "Inyecci\u00f3n de c\u00f3digo en el repositorio de GitHub nuxt/nuxt anterior a 3.5.3."
}
],
"id": "CVE-2023-3224",
"lastModified": "2024-11-21T08:16:44.247",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-06-13T18:15:22.370",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch"
],
"url": "https://github.com/nuxt/nuxt/commit/65a8f4eb3ef1b249a95fd59e323835a96428baff"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/1eb74fd8-0258-4c1f-a904-83b52e373a87"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/nuxt/nuxt/commit/65a8f4eb3ef1b249a95fd59e323835a96428baff"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/1eb74fd8-0258-4c1f-a904-83b52e373a87"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "security@huntr.dev",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2023-0878
Vulnerability from fkie_nvd - Published: 2023-02-17 01:15 - Updated: 2025-05-01 15:14
Severity ?
Summary
Cross-site Scripting (XSS) - Generic in GitHub repository nuxt/framework prior to 3.2.1.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nuxt:nuxt:*:*:*:*:*:*:*:*",
"matchCriteriaId": "919CC63C-F71B-4632-A7CA-A9C66802858B",
"versionEndExcluding": "3.2.1",
"versionStartExcluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nuxt:nuxt:3.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "741727C5-A904-4B59-BD98-8E78E450C8AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nuxt:nuxt:3.0.0:rc13:*:*:*:*:*:*",
"matchCriteriaId": "FF6DACA0-1E3D-46F3-AB1C-14FABC3C5A8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nuxt:nuxt:3.0.0:rc14:*:*:*:*:*:*",
"matchCriteriaId": "9A33BBE0-F52A-4792-931B-92298FFB1529",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Generic in GitHub repository nuxt/framework prior to 3.2.1."
},
{
"lang": "es",
"value": "Cross-site Scripting (XSS): gen\u00e9rico en el repositorio nuxt/framework de GitHub anterior a 3.2.1."
}
],
"id": "CVE-2023-0878",
"lastModified": "2025-05-01T15:14:21.883",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-02-17T01:15:10.773",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch"
],
"url": "https://github.com/nuxt/framework/commit/7aa35ff958eec0c7d071d3fcd481db57281dbcd9"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/a892caf7-b8c2-4638-8cee-eb779d51066a"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/nuxt/framework/commit/7aa35ff958eec0c7d071d3fcd481db57281dbcd9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/a892caf7-b8c2-4638-8cee-eb779d51066a"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@huntr.dev",
"type": "Primary"
}
]
}
CVE-2025-59414 (GCVE-0-2025-59414)
Vulnerability from cvelistv5 – Published: 2025-09-17 18:39 – Updated: 2025-09-17 19:42
VLAI?
Summary
Nuxt is an open-source web development framework for Vue.js. Prior to 3.19.0 and 4.1.0, A client-side path traversal vulnerability in Nuxt's Island payload revival mechanism allowed attackers to manipulate client-side requests to different endpoints within the same application domain when specific prerendering conditions are met. The vulnerability occurs in the client-side payload revival process (revive-payload.client.ts) where Nuxt Islands are automatically fetched when encountering serialized __nuxt_island objects. During prerendering, if an API endpoint returns user-controlled data containing a crafted __nuxt_island object, he data gets serialized with devalue.stringify and stored in the prerendered page. When a client navigates to the prerendered page, devalue.parse deserializes the payload. The Island reviver attempts to fetch /__nuxt_island/${key}.json where key could contain path traversal sequences. Update to Nuxt 3.19.0+ or 4.1.0+.
Severity ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59414",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-17T19:42:38.698134Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T19:42:44.734Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nuxt",
"vendor": "nuxt",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.6.0 \u003c 3.19.0"
},
{
"status": "affected",
"version": "\u003e= 4.0.0 \u003c 4.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nuxt is an open-source web development framework for Vue.js. Prior to 3.19.0 and 4.1.0, A client-side path traversal vulnerability in Nuxt\u0027s Island payload revival mechanism allowed attackers to manipulate client-side requests to different endpoints within the same application domain when specific prerendering conditions are met. The vulnerability occurs in the client-side payload revival process (revive-payload.client.ts) where Nuxt Islands are automatically fetched when encountering serialized __nuxt_island objects. During prerendering, if an API endpoint returns user-controlled data containing a crafted __nuxt_island object, he data gets serialized with devalue.stringify and stored in the prerendered page. When a client navigates to the prerendered page, devalue.parse deserializes the payload. The Island reviver attempts to fetch /__nuxt_island/${key}.json where key could contain path traversal sequences. Update to Nuxt 3.19.0+ or 4.1.0+."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T18:39:38.193Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nuxt/nuxt/security/advisories/GHSA-p6jq-8vc4-79f6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-p6jq-8vc4-79f6"
},
{
"name": "https://github.com/nuxt/nuxt/commit/2566d2046bccb158d98fb13e42ce4b2c33fb2595",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nuxt/nuxt/commit/2566d2046bccb158d98fb13e42ce4b2c33fb2595"
}
],
"source": {
"advisory": "GHSA-p6jq-8vc4-79f6",
"discovery": "UNKNOWN"
},
"title": "Nuxt Client-Side Path Traversal in Nuxt Island Payload Revival"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59414",
"datePublished": "2025-09-17T18:39:38.193Z",
"dateReserved": "2025-09-15T19:13:16.903Z",
"dateUpdated": "2025-09-17T19:42:44.734Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27415 (GCVE-0-2025-27415)
Vulnerability from cvelistv5 – Published: 2025-03-19 19:02 – Updated: 2025-03-19 19:22
VLAI?
Summary
Nuxt is an open-source web development framework for Vue.js. Prior to 3.16.0, by sending a crafted HTTP request to a server behind an CDN, it is possible in some circumstances to poison the CDN cache and highly impacts the availability of a site. It is possible to craft a request, such as https://mysite.com/?/_payload.json which will be rendered as JSON. If the CDN in front of a Nuxt site ignores the query string when determining whether to cache a route, then this JSON response could be served to future visitors to the site. An attacker can perform this attack to a vulnerable site in order to make a site unavailable indefinitely. It is also possible in the case where the cache will be reset to make a small script to send a request each X seconds (=caching duration) so that the cache is permanently poisoned making the site completely unavailable. This vulnerability is fixed in 3.16.0.
Severity ?
7.5 (High)
CWE
- CWE-349 - Acceptance of Extraneous Untrusted Data With Trusted Data
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27415",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-19T19:22:15.796670Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T19:22:25.732Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nuxt",
"vendor": "nuxt",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.16.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nuxt is an open-source web development framework for Vue.js. Prior to 3.16.0, by sending a crafted HTTP request to a server behind an CDN, it is possible in some circumstances to poison the CDN cache and highly impacts the availability of a site. It is possible to craft a request, such as https://mysite.com/?/_payload.json which will be rendered as JSON. If the CDN in front of a Nuxt site ignores the query string when determining whether to cache a route, then this JSON response could be served to future visitors to the site. An attacker can perform this attack to a vulnerable site in order to make a site unavailable indefinitely. It is also possible in the case where the cache will be reset to make a small script to send a request each X seconds (=caching duration) so that the cache is permanently poisoned making the site completely unavailable. This vulnerability is fixed in 3.16.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-349",
"description": "CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T19:02:04.824Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nuxt/nuxt/security/advisories/GHSA-jvhm-gjrh-3h93",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-jvhm-gjrh-3h93"
}
],
"source": {
"advisory": "GHSA-jvhm-gjrh-3h93",
"discovery": "UNKNOWN"
},
"title": "Nuxt allows DOS via cache poisoning with payload rendering response"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27415",
"datePublished": "2025-03-19T19:02:04.824Z",
"dateReserved": "2025-02-24T15:51:17.268Z",
"dateUpdated": "2025-03-19T19:22:25.732Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-24361 (GCVE-0-2025-24361)
Vulnerability from cvelistv5 – Published: 2025-01-25 00:53 – Updated: 2025-02-12 20:41
VLAI?
Summary
Nuxt is an open-source web development framework for Vue.js. Source code may be stolen during dev when using version 3.0.0 through 3.15.12 of the webpack builder or version 3.12.2 through 3.152 of the rspack builder and a victim opens a malicious web site. Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject a malicious script in their site and run the script. By using `Function::toString` against the values in `window.webpackChunknuxt_app`, the attacker can get the source code. Version 3.15.13 of Nuxt patches this issue.
Severity ?
5.3 (Medium)
CWE
- CWE-749 - Exposed Dangerous Method or Function
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24361",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-27T14:13:25.340238Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T20:41:32.191Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nuxt",
"vendor": "nuxt",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.15.3"
},
{
"status": "affected",
"version": "\u003e= 3.12.2, \u003c 3.15.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nuxt is an open-source web development framework for Vue.js. Source code may be stolen during dev when using version 3.0.0 through 3.15.12 of the webpack builder or version 3.12.2 through 3.152 of the rspack builder and a victim opens a malicious web site. Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject a malicious script in their site and run the script. By using `Function::toString` against the values in `window.webpackChunknuxt_app`, the attacker can get the source code. Version 3.15.13 of Nuxt patches this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-749",
"description": "CWE-749: Exposed Dangerous Method or Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-25T00:53:23.400Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nuxt/nuxt/security/advisories/GHSA-4gf7-ff8x-hq99",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-4gf7-ff8x-hq99"
},
{
"name": "https://github.com/nuxt/nuxt/commit/7eeb910bf4accb1e0193b9178c746f06ad3dd88f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nuxt/nuxt/commit/7eeb910bf4accb1e0193b9178c746f06ad3dd88f"
}
],
"source": {
"advisory": "GHSA-4gf7-ff8x-hq99",
"discovery": "UNKNOWN"
},
"title": "Opening a malicious website while running a Nuxt dev server could allow read-only access to code"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-24361",
"datePublished": "2025-01-25T00:53:23.400Z",
"dateReserved": "2025-01-20T15:18:26.989Z",
"dateUpdated": "2025-02-12T20:41:32.191Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-24360 (GCVE-0-2025-24360)
Vulnerability from cvelistv5 – Published: 2025-01-25 00:49 – Updated: 2025-02-12 20:41
VLAI?
Summary
Nuxt is an open-source web development framework for Vue.js. Starting in version 3.8.1 and prior to version 3.15.3, Nuxt allows any websites to send any requests to the development server and read the response due to default CORS settings. Users with the default server.cors option using Vite builder may get the source code stolen by malicious websites. Version 3.15.3 fixes the vulnerability.
Severity ?
5.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24360",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-27T14:15:00.708644Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T20:41:32.307Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nuxt",
"vendor": "nuxt",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.8.1, \u003c 3.15.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nuxt is an open-source web development framework for Vue.js. Starting in version 3.8.1 and prior to version 3.15.3, Nuxt allows any websites to send any requests to the development server and read the response due to default CORS settings. Users with the default server.cors option using Vite builder may get the source code stolen by malicious websites. Version 3.15.3 fixes the vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-25T00:49:09.783Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nuxt/nuxt/security/advisories/GHSA-2452-6xj8-jh47",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-2452-6xj8-jh47"
},
{
"name": "https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6"
},
{
"name": "https://github.com/nuxt/nuxt/pull/23995",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nuxt/nuxt/pull/23995"
},
{
"name": "https://github.com/nuxt/nuxt/commit/7eeb910bf4accb1e0193b9178c746f06ad3dd88f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nuxt/nuxt/commit/7eeb910bf4accb1e0193b9178c746f06ad3dd88f"
},
{
"name": "https://github.com/nuxt/nuxt/blob/7d345c71462d90187fd09c96c7692f306c90def5/packages/vite/src/client.ts#L257-L263",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nuxt/nuxt/blob/7d345c71462d90187fd09c96c7692f306c90def5/packages/vite/src/client.ts#L257-L263"
},
{
"name": "https://github.com/nuxt/nuxt/blob/7d345c71462d90187fd09c96c7692f306c90def5/packages/vite/src/vite-node.ts#L39",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nuxt/nuxt/blob/7d345c71462d90187fd09c96c7692f306c90def5/packages/vite/src/vite-node.ts#L39"
}
],
"source": {
"advisory": "GHSA-2452-6xj8-jh47",
"discovery": "UNKNOWN"
},
"title": "Opening a malicious website while running a Nuxt dev server could allow read-only access to code"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-24360",
"datePublished": "2025-01-25T00:49:09.783Z",
"dateReserved": "2025-01-20T15:18:26.989Z",
"dateUpdated": "2025-02-12T20:41:32.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42352 (GCVE-0-2024-42352)
Vulnerability from cvelistv5 – Published: 2024-08-05 20:38 – Updated: 2024-08-06 15:25
VLAI?
Summary
Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. `nuxt/icon` provides an API to allow client side icon lookup. This endpoint is at `/api/_nuxt_icon/[name]`. The proxied request path is improperly parsed, allowing an attacker to change the scheme and host of the request. This leads to SSRF, and could potentially lead to sensitive data exposure. The `new URL` constructor is used to parse the final path. This constructor can be passed a relative scheme or path in order to change the host the request is sent to. This constructor is also very tolerant of poorly formatted URLs. As a result we can pass a path prefixed with the string `http:`. This has the effect of changing the scheme to HTTP. We can then subsequently pass a new host, for example `http:127.0.0.1:8080`. This would allow us to send requests to a local server. This issue has been addressed in release version 1.4.5 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
8.6 (High)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:nuxt:icon:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "icon",
"vendor": "nuxt",
"versions": [
{
"lessThan": "1.4.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42352",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-06T15:19:46.203842Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-06T15:25:44.348Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "icon",
"vendor": "nuxt",
"versions": [
{
"status": "affected",
"version": "\u003c 1.4.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. `nuxt/icon` provides an API to allow client side icon lookup. This endpoint is at `/api/_nuxt_icon/[name]`. The proxied request path is improperly parsed, allowing an attacker to change the scheme and host of the request. This leads to SSRF, and could potentially lead to sensitive data exposure. The `new URL` constructor is used to parse the final path. This constructor can be passed a relative scheme or path in order to change the host the request is sent to. This constructor is also very tolerant of poorly formatted URLs. As a result we can pass a path prefixed with the string `http:`. This has the effect of changing the scheme to HTTP. We can then subsequently pass a new host, for example `http:127.0.0.1:8080`. This would allow us to send requests to a local server. This issue has been addressed in release version 1.4.5 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T20:38:08.419Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nuxt/icon/security/advisories/GHSA-cxgv-px37-4mp2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nuxt/icon/security/advisories/GHSA-cxgv-px37-4mp2"
}
],
"source": {
"advisory": "GHSA-cxgv-px37-4mp2",
"discovery": "UNKNOWN"
},
"title": "Server-Side Request Forgery (SSRF) in nuxt-icon"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-42352",
"datePublished": "2024-08-05T20:38:08.419Z",
"dateReserved": "2024-07-30T14:01:33.922Z",
"dateUpdated": "2024-08-06T15:25:44.348Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-34344 (GCVE-0-2024-34344)
Vulnerability from cvelistv5 – Published: 2024-08-05 20:36 – Updated: 2024-08-12 19:50
VLAI?
Summary
Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. Due to the insufficient validation of the `path` parameter in the NuxtTestComponentWrapper, an attacker can execute arbitrary JavaScript on the server side, which allows them to execute arbitrary commands. Users who open a malicious web page in the browser while running the test locally are affected by this vulnerability, which results in the remote code execution from the malicious web page. Since web pages can send requests to arbitrary addresses, a malicious web page can repeatedly try to exploit this vulnerability, which then triggers the exploit when the test server starts.
Severity ?
8.8 (High)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:nuxt:nuxt:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "nuxt",
"vendor": "nuxt",
"versions": [
{
"lessThan": "3.12.4",
"status": "affected",
"version": "3.4.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34344",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-05T20:43:19.664529Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T19:50:45.928Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nuxt",
"vendor": "nuxt",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.4.0 \u003c 3.12.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. Due to the insufficient validation of the `path` parameter in the NuxtTestComponentWrapper, an attacker can execute arbitrary JavaScript on the server side, which allows them to execute arbitrary commands. Users who open a malicious web page in the browser while running the test locally are affected by this vulnerability, which results in the remote code execution from the malicious web page. Since web pages can send requests to arbitrary addresses, a malicious web page can repeatedly try to exploit this vulnerability, which then triggers the exploit when the test server starts."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T20:36:20.878Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nuxt/nuxt/security/advisories/GHSA-v784-fjjh-f8r4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-v784-fjjh-f8r4"
}
],
"source": {
"advisory": "GHSA-v784-fjjh-f8r4",
"discovery": "UNKNOWN"
},
"title": "Remote code execution via the browser when running the test locally in nuxt"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-34344",
"datePublished": "2024-08-05T20:36:20.878Z",
"dateReserved": "2024-05-02T06:36:32.437Z",
"dateUpdated": "2024-08-12T19:50:45.928Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-34343 (GCVE-0-2024-34343)
Vulnerability from cvelistv5 – Published: 2024-08-05 20:35 – Updated: 2024-08-08 15:51
VLAI?
Summary
Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. The `navigateTo` function attempts to blockthe `javascript:` protocol, but does not correctly use API's provided by `unjs/ufo`. This library also contains parsing discrepancies. The function first tests to see if the specified URL has a protocol. This uses the unjs/ufo package for URL parsing. This function works effectively, and returns true for a javascript: protocol. After this, the URL is parsed using the parseURL function. This function will refuse to parse poorly formatted URLs. Parsing javascript:alert(1) returns null/"" for all values. Next, the protocol of the URL is then checked using the isScriptProtocol function. This function simply checks the input against a list of protocols, and does not perform any parsing. The combination of refusing to parse poorly formatted URLs, and not performing additional parsing means that script checks fail as no protocol can be found. Even if a protocol was identified, whitespace is not stripped in the parseURL implementation, bypassing the isScriptProtocol checks. Certain special protocols are identified at the top of parseURL. Inserting a newline or tab into this sequence will block the special protocol check, and bypass the latter checks. This ONLY has impact after SSR has occured, the `javascript:` protocol within a location header does not trigger XSS. This issue has been addressed in release version 3.12.4 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
6.3 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:nuxt:nuxt:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "nuxt",
"vendor": "nuxt",
"versions": [
{
"status": "affected",
"version": "3.12.4"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34343",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-08T15:48:37.429729Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-08T15:51:24.069Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nuxt",
"vendor": "nuxt",
"versions": [
{
"status": "affected",
"version": "\u003c 3.12.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. The `navigateTo` function attempts to blockthe `javascript:` protocol, but does not correctly use API\u0027s provided by `unjs/ufo`. This library also contains parsing discrepancies. The function first tests to see if the specified URL has a protocol. This uses the unjs/ufo package for URL parsing. This function works effectively, and returns true for a javascript: protocol. After this, the URL is parsed using the parseURL function. This function will refuse to parse poorly formatted URLs. Parsing javascript:alert(1) returns null/\"\" for all values. Next, the protocol of the URL is then checked using the isScriptProtocol function. This function simply checks the input against a list of protocols, and does not perform any parsing. The combination of refusing to parse poorly formatted URLs, and not performing additional parsing means that script checks fail as no protocol can be found. Even if a protocol was identified, whitespace is not stripped in the parseURL implementation, bypassing the isScriptProtocol checks. Certain special protocols are identified at the top of parseURL. Inserting a newline or tab into this sequence will block the special protocol check, and bypass the latter checks. This ONLY has impact after SSR has occured, the `javascript:` protocol within a location header does not trigger XSS. This issue has been addressed in release version 3.12.4 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T20:35:13.258Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nuxt/nuxt/security/advisories/GHSA-vf6r-87q4-2vjf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-vf6r-87q4-2vjf"
}
],
"source": {
"advisory": "GHSA-vf6r-87q4-2vjf",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting (XSS) in navigateTo if used after SSR in nuxt"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-34343",
"datePublished": "2024-08-05T20:35:13.258Z",
"dateReserved": "2024-05-02T06:36:32.437Z",
"dateUpdated": "2024-08-08T15:51:24.069Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-23657 (GCVE-0-2024-23657)
Vulnerability from cvelistv5 – Published: 2024-08-05 20:27 – Updated: 2024-08-08 13:36
VLAI?
Summary
Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. Nuxt Devtools is missing authentication on the `getTextAssetContent` RPC function which is vulnerable to path traversal. Combined with a lack of Origin checks on the WebSocket handler, an attacker is able to interact with a locally running devtools instance and exfiltrate data abusing this vulnerability. In certain configurations an attacker could leak the devtools authentication token and then abuse other RPC functions to achieve RCE. The `getTextAssetContent` function does not check for path traversals, this could allow an attacker to read arbitrary files over the RPC WebSocket. The WebSocket server does not check the origin of the request leading to cross-site-websocket-hijacking. This may be intentional to allow certain configurations to work correctly. Nuxt Devtools authentication tokens are placed within the home directory of the current user. The malicious webpage can connect to the Devtools WebSocket, perform a directory traversal brute force to find the authentication token, then use the *authenticated* `writeStaticAssets` function to create a new Component, Nitro Handler or `app.vue` file which will run automatically as the file is changed. This vulnerability has been addressed in release version 1.3.9. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
8.8 (High)
CWE
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:nuxt:nuxt:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "nuxt",
"vendor": "nuxt",
"versions": [
{
"lessThan": "1.3.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23657",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-08T13:35:32.613126Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-08T13:36:34.991Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nuxt",
"vendor": "nuxt",
"versions": [
{
"status": "affected",
"version": "\u003c 1.3.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. Nuxt Devtools is missing authentication on the `getTextAssetContent` RPC function which is vulnerable to path traversal. Combined with a lack of Origin checks on the WebSocket handler, an attacker is able to interact with a locally running devtools instance and exfiltrate data abusing this vulnerability. In certain configurations an attacker could leak the devtools authentication token and then abuse other RPC functions to achieve RCE. The `getTextAssetContent` function does not check for path traversals, this could allow an attacker to read arbitrary files over the RPC WebSocket. The WebSocket server does not check the origin of the request leading to cross-site-websocket-hijacking. This may be intentional to allow certain configurations to work correctly. Nuxt Devtools authentication tokens are placed within the home directory of the current user. The malicious webpage can connect to the Devtools WebSocket, perform a directory traversal brute force to find the authentication token, then use the *authenticated* `writeStaticAssets` function to create a new Component, Nitro Handler or `app.vue` file which will run automatically as the file is changed. This vulnerability has been addressed in release version 1.3.9. All users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-24",
"description": "CWE-24: Path Traversal: \u0027../filedir\u0027",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T20:27:38.472Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nuxt/nuxt/security/advisories/GHSA-rcvg-rgf7-pppv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-rcvg-rgf7-pppv"
},
{
"name": "https://github.com/nuxt/devtools/blob/c4f2b68281203fc3f61ffc97d9c6623fbfde46bb/packages/devtools/src/dev-auth.ts#L14",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nuxt/devtools/blob/c4f2b68281203fc3f61ffc97d9c6623fbfde46bb/packages/devtools/src/dev-auth.ts#L14"
},
{
"name": "https://github.com/nuxt/devtools/blob/c4f2b68281203fc3f61ffc97d9c6623fbfde46bb/packages/devtools/src/server-rpc/assets.ts#L88C48-L88C48",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nuxt/devtools/blob/c4f2b68281203fc3f61ffc97d9c6623fbfde46bb/packages/devtools/src/server-rpc/assets.ts#L88C48-L88C48"
},
{
"name": "https://github.com/nuxt/devtools/blob/c4f2b68281203fc3f61ffc97d9c6623fbfde46bb/packages/devtools/src/server-rpc/assets.ts#L96C11-L96C28",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nuxt/devtools/blob/c4f2b68281203fc3f61ffc97d9c6623fbfde46bb/packages/devtools/src/server-rpc/assets.ts#L96C11-L96C28"
},
{
"name": "https://github.com/nuxt/devtools/blob/c4f2b68281203fc3f61ffc97d9c6623fbfde46bb/packages/devtools/src/server-rpc/index.ts#L109",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nuxt/devtools/blob/c4f2b68281203fc3f61ffc97d9c6623fbfde46bb/packages/devtools/src/server-rpc/index.ts#L109"
},
{
"name": "https://portswigger.net/web-security/websockets/cross-site-websocket-hijacking",
"tags": [
"x_refsource_MISC"
],
"url": "https://portswigger.net/web-security/websockets/cross-site-websocket-hijacking"
}
],
"source": {
"advisory": "GHSA-rcvg-rgf7-pppv",
"discovery": "UNKNOWN"
},
"title": "Path Traversal: \u0027../filedir\u0027 in Nuxt Devtools"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-23657",
"datePublished": "2024-08-05T20:27:38.472Z",
"dateReserved": "2024-01-19T00:18:53.235Z",
"dateUpdated": "2024-08-08T13:36:34.991Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-3224 (GCVE-0-2023-3224)
Vulnerability from cvelistv5 – Published: 2023-06-13 00:00 – Updated: 2025-01-03 02:10
VLAI?
Summary
Code Injection in GitHub repository nuxt/nuxt prior to 3.5.3.
Severity ?
8.1 (High)
CWE
- CWE-94 - Improper Control of Generation of Code
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:48:08.244Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/1eb74fd8-0258-4c1f-a904-83b52e373a87"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/nuxt/nuxt/commit/65a8f4eb3ef1b249a95fd59e323835a96428baff"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3224",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-03T02:09:25.259559Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-03T02:10:07.186Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nuxt/nuxt",
"vendor": "nuxt",
"versions": [
{
"lessThan": "3.5.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Code Injection in GitHub repository nuxt/nuxt prior to 3.5.3."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-13T00:00:00",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/1eb74fd8-0258-4c1f-a904-83b52e373a87"
},
{
"url": "https://github.com/nuxt/nuxt/commit/65a8f4eb3ef1b249a95fd59e323835a96428baff"
}
],
"source": {
"advisory": "1eb74fd8-0258-4c1f-a904-83b52e373a87",
"discovery": "EXTERNAL"
},
"title": " Code Injection in nuxt/nuxt"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-3224",
"datePublished": "2023-06-13T00:00:00",
"dateReserved": "2023-06-13T00:00:00",
"dateUpdated": "2025-01-03T02:10:07.186Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-0878 (GCVE-0-2023-0878)
Vulnerability from cvelistv5 – Published: 2023-02-17 00:00 – Updated: 2025-03-18 16:00
VLAI?
Summary
Cross-site Scripting (XSS) - Generic in GitHub repository nuxt/framework prior to 3.2.1.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| nuxt | nuxt/framework |
Affected:
unspecified , < 3.2.1
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:24:34.703Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/a892caf7-b8c2-4638-8cee-eb779d51066a"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/nuxt/framework/commit/7aa35ff958eec0c7d071d3fcd481db57281dbcd9"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-0878",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-18T16:00:26.362072Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-18T16:00:33.154Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nuxt/framework",
"vendor": "nuxt",
"versions": [
{
"lessThan": "3.2.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Generic in GitHub repository nuxt/framework prior to 3.2.1."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-17T00:00:00.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/a892caf7-b8c2-4638-8cee-eb779d51066a"
},
{
"url": "https://github.com/nuxt/framework/commit/7aa35ff958eec0c7d071d3fcd481db57281dbcd9"
}
],
"source": {
"advisory": "a892caf7-b8c2-4638-8cee-eb779d51066a",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Generic in nuxt/framework"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-0878",
"datePublished": "2023-02-17T00:00:00.000Z",
"dateReserved": "2023-02-17T00:00:00.000Z",
"dateUpdated": "2025-03-18T16:00:33.154Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59414 (GCVE-0-2025-59414)
Vulnerability from nvd – Published: 2025-09-17 18:39 – Updated: 2025-09-17 19:42
VLAI?
Summary
Nuxt is an open-source web development framework for Vue.js. Prior to 3.19.0 and 4.1.0, A client-side path traversal vulnerability in Nuxt's Island payload revival mechanism allowed attackers to manipulate client-side requests to different endpoints within the same application domain when specific prerendering conditions are met. The vulnerability occurs in the client-side payload revival process (revive-payload.client.ts) where Nuxt Islands are automatically fetched when encountering serialized __nuxt_island objects. During prerendering, if an API endpoint returns user-controlled data containing a crafted __nuxt_island object, he data gets serialized with devalue.stringify and stored in the prerendered page. When a client navigates to the prerendered page, devalue.parse deserializes the payload. The Island reviver attempts to fetch /__nuxt_island/${key}.json where key could contain path traversal sequences. Update to Nuxt 3.19.0+ or 4.1.0+.
Severity ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59414",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-17T19:42:38.698134Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T19:42:44.734Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nuxt",
"vendor": "nuxt",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.6.0 \u003c 3.19.0"
},
{
"status": "affected",
"version": "\u003e= 4.0.0 \u003c 4.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nuxt is an open-source web development framework for Vue.js. Prior to 3.19.0 and 4.1.0, A client-side path traversal vulnerability in Nuxt\u0027s Island payload revival mechanism allowed attackers to manipulate client-side requests to different endpoints within the same application domain when specific prerendering conditions are met. The vulnerability occurs in the client-side payload revival process (revive-payload.client.ts) where Nuxt Islands are automatically fetched when encountering serialized __nuxt_island objects. During prerendering, if an API endpoint returns user-controlled data containing a crafted __nuxt_island object, he data gets serialized with devalue.stringify and stored in the prerendered page. When a client navigates to the prerendered page, devalue.parse deserializes the payload. The Island reviver attempts to fetch /__nuxt_island/${key}.json where key could contain path traversal sequences. Update to Nuxt 3.19.0+ or 4.1.0+."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T18:39:38.193Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nuxt/nuxt/security/advisories/GHSA-p6jq-8vc4-79f6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-p6jq-8vc4-79f6"
},
{
"name": "https://github.com/nuxt/nuxt/commit/2566d2046bccb158d98fb13e42ce4b2c33fb2595",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nuxt/nuxt/commit/2566d2046bccb158d98fb13e42ce4b2c33fb2595"
}
],
"source": {
"advisory": "GHSA-p6jq-8vc4-79f6",
"discovery": "UNKNOWN"
},
"title": "Nuxt Client-Side Path Traversal in Nuxt Island Payload Revival"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59414",
"datePublished": "2025-09-17T18:39:38.193Z",
"dateReserved": "2025-09-15T19:13:16.903Z",
"dateUpdated": "2025-09-17T19:42:44.734Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27415 (GCVE-0-2025-27415)
Vulnerability from nvd – Published: 2025-03-19 19:02 – Updated: 2025-03-19 19:22
VLAI?
Summary
Nuxt is an open-source web development framework for Vue.js. Prior to 3.16.0, by sending a crafted HTTP request to a server behind an CDN, it is possible in some circumstances to poison the CDN cache and highly impacts the availability of a site. It is possible to craft a request, such as https://mysite.com/?/_payload.json which will be rendered as JSON. If the CDN in front of a Nuxt site ignores the query string when determining whether to cache a route, then this JSON response could be served to future visitors to the site. An attacker can perform this attack to a vulnerable site in order to make a site unavailable indefinitely. It is also possible in the case where the cache will be reset to make a small script to send a request each X seconds (=caching duration) so that the cache is permanently poisoned making the site completely unavailable. This vulnerability is fixed in 3.16.0.
Severity ?
7.5 (High)
CWE
- CWE-349 - Acceptance of Extraneous Untrusted Data With Trusted Data
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27415",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-19T19:22:15.796670Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T19:22:25.732Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nuxt",
"vendor": "nuxt",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.16.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nuxt is an open-source web development framework for Vue.js. Prior to 3.16.0, by sending a crafted HTTP request to a server behind an CDN, it is possible in some circumstances to poison the CDN cache and highly impacts the availability of a site. It is possible to craft a request, such as https://mysite.com/?/_payload.json which will be rendered as JSON. If the CDN in front of a Nuxt site ignores the query string when determining whether to cache a route, then this JSON response could be served to future visitors to the site. An attacker can perform this attack to a vulnerable site in order to make a site unavailable indefinitely. It is also possible in the case where the cache will be reset to make a small script to send a request each X seconds (=caching duration) so that the cache is permanently poisoned making the site completely unavailable. This vulnerability is fixed in 3.16.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-349",
"description": "CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T19:02:04.824Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nuxt/nuxt/security/advisories/GHSA-jvhm-gjrh-3h93",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-jvhm-gjrh-3h93"
}
],
"source": {
"advisory": "GHSA-jvhm-gjrh-3h93",
"discovery": "UNKNOWN"
},
"title": "Nuxt allows DOS via cache poisoning with payload rendering response"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27415",
"datePublished": "2025-03-19T19:02:04.824Z",
"dateReserved": "2025-02-24T15:51:17.268Z",
"dateUpdated": "2025-03-19T19:22:25.732Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-24361 (GCVE-0-2025-24361)
Vulnerability from nvd – Published: 2025-01-25 00:53 – Updated: 2025-02-12 20:41
VLAI?
Summary
Nuxt is an open-source web development framework for Vue.js. Source code may be stolen during dev when using version 3.0.0 through 3.15.12 of the webpack builder or version 3.12.2 through 3.152 of the rspack builder and a victim opens a malicious web site. Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject a malicious script in their site and run the script. By using `Function::toString` against the values in `window.webpackChunknuxt_app`, the attacker can get the source code. Version 3.15.13 of Nuxt patches this issue.
Severity ?
5.3 (Medium)
CWE
- CWE-749 - Exposed Dangerous Method or Function
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24361",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-27T14:13:25.340238Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T20:41:32.191Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nuxt",
"vendor": "nuxt",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.15.3"
},
{
"status": "affected",
"version": "\u003e= 3.12.2, \u003c 3.15.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nuxt is an open-source web development framework for Vue.js. Source code may be stolen during dev when using version 3.0.0 through 3.15.12 of the webpack builder or version 3.12.2 through 3.152 of the rspack builder and a victim opens a malicious web site. Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject a malicious script in their site and run the script. By using `Function::toString` against the values in `window.webpackChunknuxt_app`, the attacker can get the source code. Version 3.15.13 of Nuxt patches this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-749",
"description": "CWE-749: Exposed Dangerous Method or Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-25T00:53:23.400Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nuxt/nuxt/security/advisories/GHSA-4gf7-ff8x-hq99",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-4gf7-ff8x-hq99"
},
{
"name": "https://github.com/nuxt/nuxt/commit/7eeb910bf4accb1e0193b9178c746f06ad3dd88f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nuxt/nuxt/commit/7eeb910bf4accb1e0193b9178c746f06ad3dd88f"
}
],
"source": {
"advisory": "GHSA-4gf7-ff8x-hq99",
"discovery": "UNKNOWN"
},
"title": "Opening a malicious website while running a Nuxt dev server could allow read-only access to code"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-24361",
"datePublished": "2025-01-25T00:53:23.400Z",
"dateReserved": "2025-01-20T15:18:26.989Z",
"dateUpdated": "2025-02-12T20:41:32.191Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-24360 (GCVE-0-2025-24360)
Vulnerability from nvd – Published: 2025-01-25 00:49 – Updated: 2025-02-12 20:41
VLAI?
Summary
Nuxt is an open-source web development framework for Vue.js. Starting in version 3.8.1 and prior to version 3.15.3, Nuxt allows any websites to send any requests to the development server and read the response due to default CORS settings. Users with the default server.cors option using Vite builder may get the source code stolen by malicious websites. Version 3.15.3 fixes the vulnerability.
Severity ?
5.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24360",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-27T14:15:00.708644Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T20:41:32.307Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nuxt",
"vendor": "nuxt",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.8.1, \u003c 3.15.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nuxt is an open-source web development framework for Vue.js. Starting in version 3.8.1 and prior to version 3.15.3, Nuxt allows any websites to send any requests to the development server and read the response due to default CORS settings. Users with the default server.cors option using Vite builder may get the source code stolen by malicious websites. Version 3.15.3 fixes the vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-25T00:49:09.783Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nuxt/nuxt/security/advisories/GHSA-2452-6xj8-jh47",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-2452-6xj8-jh47"
},
{
"name": "https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6"
},
{
"name": "https://github.com/nuxt/nuxt/pull/23995",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nuxt/nuxt/pull/23995"
},
{
"name": "https://github.com/nuxt/nuxt/commit/7eeb910bf4accb1e0193b9178c746f06ad3dd88f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nuxt/nuxt/commit/7eeb910bf4accb1e0193b9178c746f06ad3dd88f"
},
{
"name": "https://github.com/nuxt/nuxt/blob/7d345c71462d90187fd09c96c7692f306c90def5/packages/vite/src/client.ts#L257-L263",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nuxt/nuxt/blob/7d345c71462d90187fd09c96c7692f306c90def5/packages/vite/src/client.ts#L257-L263"
},
{
"name": "https://github.com/nuxt/nuxt/blob/7d345c71462d90187fd09c96c7692f306c90def5/packages/vite/src/vite-node.ts#L39",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nuxt/nuxt/blob/7d345c71462d90187fd09c96c7692f306c90def5/packages/vite/src/vite-node.ts#L39"
}
],
"source": {
"advisory": "GHSA-2452-6xj8-jh47",
"discovery": "UNKNOWN"
},
"title": "Opening a malicious website while running a Nuxt dev server could allow read-only access to code"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-24360",
"datePublished": "2025-01-25T00:49:09.783Z",
"dateReserved": "2025-01-20T15:18:26.989Z",
"dateUpdated": "2025-02-12T20:41:32.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42352 (GCVE-0-2024-42352)
Vulnerability from nvd – Published: 2024-08-05 20:38 – Updated: 2024-08-06 15:25
VLAI?
Summary
Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. `nuxt/icon` provides an API to allow client side icon lookup. This endpoint is at `/api/_nuxt_icon/[name]`. The proxied request path is improperly parsed, allowing an attacker to change the scheme and host of the request. This leads to SSRF, and could potentially lead to sensitive data exposure. The `new URL` constructor is used to parse the final path. This constructor can be passed a relative scheme or path in order to change the host the request is sent to. This constructor is also very tolerant of poorly formatted URLs. As a result we can pass a path prefixed with the string `http:`. This has the effect of changing the scheme to HTTP. We can then subsequently pass a new host, for example `http:127.0.0.1:8080`. This would allow us to send requests to a local server. This issue has been addressed in release version 1.4.5 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
8.6 (High)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:nuxt:icon:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "icon",
"vendor": "nuxt",
"versions": [
{
"lessThan": "1.4.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42352",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-06T15:19:46.203842Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-06T15:25:44.348Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "icon",
"vendor": "nuxt",
"versions": [
{
"status": "affected",
"version": "\u003c 1.4.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. `nuxt/icon` provides an API to allow client side icon lookup. This endpoint is at `/api/_nuxt_icon/[name]`. The proxied request path is improperly parsed, allowing an attacker to change the scheme and host of the request. This leads to SSRF, and could potentially lead to sensitive data exposure. The `new URL` constructor is used to parse the final path. This constructor can be passed a relative scheme or path in order to change the host the request is sent to. This constructor is also very tolerant of poorly formatted URLs. As a result we can pass a path prefixed with the string `http:`. This has the effect of changing the scheme to HTTP. We can then subsequently pass a new host, for example `http:127.0.0.1:8080`. This would allow us to send requests to a local server. This issue has been addressed in release version 1.4.5 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T20:38:08.419Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nuxt/icon/security/advisories/GHSA-cxgv-px37-4mp2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nuxt/icon/security/advisories/GHSA-cxgv-px37-4mp2"
}
],
"source": {
"advisory": "GHSA-cxgv-px37-4mp2",
"discovery": "UNKNOWN"
},
"title": "Server-Side Request Forgery (SSRF) in nuxt-icon"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-42352",
"datePublished": "2024-08-05T20:38:08.419Z",
"dateReserved": "2024-07-30T14:01:33.922Z",
"dateUpdated": "2024-08-06T15:25:44.348Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-34344 (GCVE-0-2024-34344)
Vulnerability from nvd – Published: 2024-08-05 20:36 – Updated: 2024-08-12 19:50
VLAI?
Summary
Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. Due to the insufficient validation of the `path` parameter in the NuxtTestComponentWrapper, an attacker can execute arbitrary JavaScript on the server side, which allows them to execute arbitrary commands. Users who open a malicious web page in the browser while running the test locally are affected by this vulnerability, which results in the remote code execution from the malicious web page. Since web pages can send requests to arbitrary addresses, a malicious web page can repeatedly try to exploit this vulnerability, which then triggers the exploit when the test server starts.
Severity ?
8.8 (High)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:nuxt:nuxt:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "nuxt",
"vendor": "nuxt",
"versions": [
{
"lessThan": "3.12.4",
"status": "affected",
"version": "3.4.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34344",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-05T20:43:19.664529Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T19:50:45.928Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nuxt",
"vendor": "nuxt",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.4.0 \u003c 3.12.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. Due to the insufficient validation of the `path` parameter in the NuxtTestComponentWrapper, an attacker can execute arbitrary JavaScript on the server side, which allows them to execute arbitrary commands. Users who open a malicious web page in the browser while running the test locally are affected by this vulnerability, which results in the remote code execution from the malicious web page. Since web pages can send requests to arbitrary addresses, a malicious web page can repeatedly try to exploit this vulnerability, which then triggers the exploit when the test server starts."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T20:36:20.878Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nuxt/nuxt/security/advisories/GHSA-v784-fjjh-f8r4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-v784-fjjh-f8r4"
}
],
"source": {
"advisory": "GHSA-v784-fjjh-f8r4",
"discovery": "UNKNOWN"
},
"title": "Remote code execution via the browser when running the test locally in nuxt"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-34344",
"datePublished": "2024-08-05T20:36:20.878Z",
"dateReserved": "2024-05-02T06:36:32.437Z",
"dateUpdated": "2024-08-12T19:50:45.928Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-34343 (GCVE-0-2024-34343)
Vulnerability from nvd – Published: 2024-08-05 20:35 – Updated: 2024-08-08 15:51
VLAI?
Summary
Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. The `navigateTo` function attempts to blockthe `javascript:` protocol, but does not correctly use API's provided by `unjs/ufo`. This library also contains parsing discrepancies. The function first tests to see if the specified URL has a protocol. This uses the unjs/ufo package for URL parsing. This function works effectively, and returns true for a javascript: protocol. After this, the URL is parsed using the parseURL function. This function will refuse to parse poorly formatted URLs. Parsing javascript:alert(1) returns null/"" for all values. Next, the protocol of the URL is then checked using the isScriptProtocol function. This function simply checks the input against a list of protocols, and does not perform any parsing. The combination of refusing to parse poorly formatted URLs, and not performing additional parsing means that script checks fail as no protocol can be found. Even if a protocol was identified, whitespace is not stripped in the parseURL implementation, bypassing the isScriptProtocol checks. Certain special protocols are identified at the top of parseURL. Inserting a newline or tab into this sequence will block the special protocol check, and bypass the latter checks. This ONLY has impact after SSR has occured, the `javascript:` protocol within a location header does not trigger XSS. This issue has been addressed in release version 3.12.4 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
6.3 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:nuxt:nuxt:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "nuxt",
"vendor": "nuxt",
"versions": [
{
"status": "affected",
"version": "3.12.4"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34343",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-08T15:48:37.429729Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-08T15:51:24.069Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nuxt",
"vendor": "nuxt",
"versions": [
{
"status": "affected",
"version": "\u003c 3.12.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. The `navigateTo` function attempts to blockthe `javascript:` protocol, but does not correctly use API\u0027s provided by `unjs/ufo`. This library also contains parsing discrepancies. The function first tests to see if the specified URL has a protocol. This uses the unjs/ufo package for URL parsing. This function works effectively, and returns true for a javascript: protocol. After this, the URL is parsed using the parseURL function. This function will refuse to parse poorly formatted URLs. Parsing javascript:alert(1) returns null/\"\" for all values. Next, the protocol of the URL is then checked using the isScriptProtocol function. This function simply checks the input against a list of protocols, and does not perform any parsing. The combination of refusing to parse poorly formatted URLs, and not performing additional parsing means that script checks fail as no protocol can be found. Even if a protocol was identified, whitespace is not stripped in the parseURL implementation, bypassing the isScriptProtocol checks. Certain special protocols are identified at the top of parseURL. Inserting a newline or tab into this sequence will block the special protocol check, and bypass the latter checks. This ONLY has impact after SSR has occured, the `javascript:` protocol within a location header does not trigger XSS. This issue has been addressed in release version 3.12.4 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T20:35:13.258Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nuxt/nuxt/security/advisories/GHSA-vf6r-87q4-2vjf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-vf6r-87q4-2vjf"
}
],
"source": {
"advisory": "GHSA-vf6r-87q4-2vjf",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting (XSS) in navigateTo if used after SSR in nuxt"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-34343",
"datePublished": "2024-08-05T20:35:13.258Z",
"dateReserved": "2024-05-02T06:36:32.437Z",
"dateUpdated": "2024-08-08T15:51:24.069Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-23657 (GCVE-0-2024-23657)
Vulnerability from nvd – Published: 2024-08-05 20:27 – Updated: 2024-08-08 13:36
VLAI?
Summary
Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. Nuxt Devtools is missing authentication on the `getTextAssetContent` RPC function which is vulnerable to path traversal. Combined with a lack of Origin checks on the WebSocket handler, an attacker is able to interact with a locally running devtools instance and exfiltrate data abusing this vulnerability. In certain configurations an attacker could leak the devtools authentication token and then abuse other RPC functions to achieve RCE. The `getTextAssetContent` function does not check for path traversals, this could allow an attacker to read arbitrary files over the RPC WebSocket. The WebSocket server does not check the origin of the request leading to cross-site-websocket-hijacking. This may be intentional to allow certain configurations to work correctly. Nuxt Devtools authentication tokens are placed within the home directory of the current user. The malicious webpage can connect to the Devtools WebSocket, perform a directory traversal brute force to find the authentication token, then use the *authenticated* `writeStaticAssets` function to create a new Component, Nitro Handler or `app.vue` file which will run automatically as the file is changed. This vulnerability has been addressed in release version 1.3.9. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
8.8 (High)
CWE
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:nuxt:nuxt:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "nuxt",
"vendor": "nuxt",
"versions": [
{
"lessThan": "1.3.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23657",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-08T13:35:32.613126Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-08T13:36:34.991Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nuxt",
"vendor": "nuxt",
"versions": [
{
"status": "affected",
"version": "\u003c 1.3.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. Nuxt Devtools is missing authentication on the `getTextAssetContent` RPC function which is vulnerable to path traversal. Combined with a lack of Origin checks on the WebSocket handler, an attacker is able to interact with a locally running devtools instance and exfiltrate data abusing this vulnerability. In certain configurations an attacker could leak the devtools authentication token and then abuse other RPC functions to achieve RCE. The `getTextAssetContent` function does not check for path traversals, this could allow an attacker to read arbitrary files over the RPC WebSocket. The WebSocket server does not check the origin of the request leading to cross-site-websocket-hijacking. This may be intentional to allow certain configurations to work correctly. Nuxt Devtools authentication tokens are placed within the home directory of the current user. The malicious webpage can connect to the Devtools WebSocket, perform a directory traversal brute force to find the authentication token, then use the *authenticated* `writeStaticAssets` function to create a new Component, Nitro Handler or `app.vue` file which will run automatically as the file is changed. This vulnerability has been addressed in release version 1.3.9. All users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-24",
"description": "CWE-24: Path Traversal: \u0027../filedir\u0027",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T20:27:38.472Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nuxt/nuxt/security/advisories/GHSA-rcvg-rgf7-pppv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-rcvg-rgf7-pppv"
},
{
"name": "https://github.com/nuxt/devtools/blob/c4f2b68281203fc3f61ffc97d9c6623fbfde46bb/packages/devtools/src/dev-auth.ts#L14",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nuxt/devtools/blob/c4f2b68281203fc3f61ffc97d9c6623fbfde46bb/packages/devtools/src/dev-auth.ts#L14"
},
{
"name": "https://github.com/nuxt/devtools/blob/c4f2b68281203fc3f61ffc97d9c6623fbfde46bb/packages/devtools/src/server-rpc/assets.ts#L88C48-L88C48",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nuxt/devtools/blob/c4f2b68281203fc3f61ffc97d9c6623fbfde46bb/packages/devtools/src/server-rpc/assets.ts#L88C48-L88C48"
},
{
"name": "https://github.com/nuxt/devtools/blob/c4f2b68281203fc3f61ffc97d9c6623fbfde46bb/packages/devtools/src/server-rpc/assets.ts#L96C11-L96C28",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nuxt/devtools/blob/c4f2b68281203fc3f61ffc97d9c6623fbfde46bb/packages/devtools/src/server-rpc/assets.ts#L96C11-L96C28"
},
{
"name": "https://github.com/nuxt/devtools/blob/c4f2b68281203fc3f61ffc97d9c6623fbfde46bb/packages/devtools/src/server-rpc/index.ts#L109",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nuxt/devtools/blob/c4f2b68281203fc3f61ffc97d9c6623fbfde46bb/packages/devtools/src/server-rpc/index.ts#L109"
},
{
"name": "https://portswigger.net/web-security/websockets/cross-site-websocket-hijacking",
"tags": [
"x_refsource_MISC"
],
"url": "https://portswigger.net/web-security/websockets/cross-site-websocket-hijacking"
}
],
"source": {
"advisory": "GHSA-rcvg-rgf7-pppv",
"discovery": "UNKNOWN"
},
"title": "Path Traversal: \u0027../filedir\u0027 in Nuxt Devtools"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-23657",
"datePublished": "2024-08-05T20:27:38.472Z",
"dateReserved": "2024-01-19T00:18:53.235Z",
"dateUpdated": "2024-08-08T13:36:34.991Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-3224 (GCVE-0-2023-3224)
Vulnerability from nvd – Published: 2023-06-13 00:00 – Updated: 2025-01-03 02:10
VLAI?
Summary
Code Injection in GitHub repository nuxt/nuxt prior to 3.5.3.
Severity ?
8.1 (High)
CWE
- CWE-94 - Improper Control of Generation of Code
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:48:08.244Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/1eb74fd8-0258-4c1f-a904-83b52e373a87"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/nuxt/nuxt/commit/65a8f4eb3ef1b249a95fd59e323835a96428baff"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3224",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-03T02:09:25.259559Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-03T02:10:07.186Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nuxt/nuxt",
"vendor": "nuxt",
"versions": [
{
"lessThan": "3.5.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Code Injection in GitHub repository nuxt/nuxt prior to 3.5.3."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-13T00:00:00",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/1eb74fd8-0258-4c1f-a904-83b52e373a87"
},
{
"url": "https://github.com/nuxt/nuxt/commit/65a8f4eb3ef1b249a95fd59e323835a96428baff"
}
],
"source": {
"advisory": "1eb74fd8-0258-4c1f-a904-83b52e373a87",
"discovery": "EXTERNAL"
},
"title": " Code Injection in nuxt/nuxt"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-3224",
"datePublished": "2023-06-13T00:00:00",
"dateReserved": "2023-06-13T00:00:00",
"dateUpdated": "2025-01-03T02:10:07.186Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-0878 (GCVE-0-2023-0878)
Vulnerability from nvd – Published: 2023-02-17 00:00 – Updated: 2025-03-18 16:00
VLAI?
Summary
Cross-site Scripting (XSS) - Generic in GitHub repository nuxt/framework prior to 3.2.1.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| nuxt | nuxt/framework |
Affected:
unspecified , < 3.2.1
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:24:34.703Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/a892caf7-b8c2-4638-8cee-eb779d51066a"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/nuxt/framework/commit/7aa35ff958eec0c7d071d3fcd481db57281dbcd9"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-0878",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-18T16:00:26.362072Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-18T16:00:33.154Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nuxt/framework",
"vendor": "nuxt",
"versions": [
{
"lessThan": "3.2.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Generic in GitHub repository nuxt/framework prior to 3.2.1."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-17T00:00:00.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/a892caf7-b8c2-4638-8cee-eb779d51066a"
},
{
"url": "https://github.com/nuxt/framework/commit/7aa35ff958eec0c7d071d3fcd481db57281dbcd9"
}
],
"source": {
"advisory": "a892caf7-b8c2-4638-8cee-eb779d51066a",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Generic in nuxt/framework"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-0878",
"datePublished": "2023-02-17T00:00:00.000Z",
"dateReserved": "2023-02-17T00:00:00.000Z",
"dateUpdated": "2025-03-18T16:00:33.154Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}