FKIE_CVE-2025-27415

Vulnerability from fkie_nvd - Published: 2025-03-19 19:15 - Updated: 2025-12-03 18:44
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Nuxt is an open-source web development framework for Vue.js. Prior to 3.16.0, by sending a crafted HTTP request to a server behind an CDN, it is possible in some circumstances to poison the CDN cache and highly impacts the availability of a site. It is possible to craft a request, such as https://mysite.com/?/_payload.json which will be rendered as JSON. If the CDN in front of a Nuxt site ignores the query string when determining whether to cache a route, then this JSON response could be served to future visitors to the site. An attacker can perform this attack to a vulnerable site in order to make a site unavailable indefinitely. It is also possible in the case where the cache will be reset to make a small script to send a request each X seconds (=caching duration) so that the cache is permanently poisoned making the site completely unavailable. This vulnerability is fixed in 3.16.0.
References
security-advisories@github.comhttps://github.com/nuxt/nuxt/security/advisories/GHSA-jvhm-gjrh-3h93Third Party Advisory
Impacted products
Vendor Product Version
nuxt nuxt *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:nuxt:nuxt:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4D5003E3-17E0-4FD0-8449-637E21A366A2",
              "versionEndExcluding": "3.16.0",
              "versionStartIncluding": "3.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Nuxt is an open-source web development framework for Vue.js. Prior to 3.16.0, by sending a crafted HTTP request to a server behind an CDN, it is possible in some circumstances to poison the CDN cache and highly impacts the availability of a site. It is possible to craft a request, such as https://mysite.com/?/_payload.json which will be rendered as JSON. If the CDN in front of a Nuxt site ignores the query string when determining whether to cache a route, then this JSON response could be served to future visitors to the site. An attacker can perform this attack to a vulnerable site in order to make a site unavailable indefinitely. It is also possible in the case where the cache will be reset to make a small script to send a request each X seconds (=caching duration) so that the cache is permanently poisoned making the site completely unavailable. This vulnerability is fixed in 3.16.0."
    },
    {
      "lang": "es",
      "value": "Nuxt es un framework de desarrollo web de c\u00f3digo abierto para Vue.js. Antes de la versi\u00f3n 3.16.0, al enviar una solicitud HTTP manipulada a un servidor tras una CDN, era posible, en ciertas circunstancias, contaminar la cach\u00e9 de la CDN, lo que afectaba gravemente la disponibilidad de un sitio. Es posible manipular una solicitud, como https://mysite.com/?/_payload.json, que se renderizar\u00eda como JSON. Si la CDN frente a un sitio Nuxt ignora la cadena de consulta al determinar si se debe almacenar en cach\u00e9 una ruta, esta respuesta JSON podr\u00eda enviarse a futuros visitantes del sitio. Un atacante puede realizar este ataque a un sitio vulnerable para inhabilitarlo indefinidamente. Tambi\u00e9n es posible, si se restablece la cach\u00e9, crear un peque\u00f1o script que env\u00ede una solicitud cada X segundos (= duraci\u00f3n de la cach\u00e9), de modo que la cach\u00e9 se inutilice permanentemente, dejando el sitio completamente indisponible. Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 3.16.0."
    }
  ],
  "id": "CVE-2025-27415",
  "lastModified": "2025-12-03T18:44:15.927",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-03-19T19:15:47.257",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-jvhm-gjrh-3h93"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-349"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.