Cross-site Scripting (XSS)Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the navigateTo open option. An attacker can execute arbitrary scripts in the application's origin by supplying a crafted open parameter containing a script-capable URL.
How to fix Cross-site Scripting (XSS)? Upgrade nuxt to version 3.21.7, 4.4.7 or higher.
| <3.21.7>=4.0.0-alpha.1 <4.4.7 |
Open RedirectAffected versions of this package are vulnerable to Open Redirect via the reloadNuxtApp() function. An attacker can redirect users to attacker-controlled hosts by injecting protocol-relative paths such as //evil.com, potentially enabling phishing attacks or theft of OAuth authorization codes.
How to fix Open Redirect? Upgrade nuxt to version 3.21.7, 4.4.7 or higher.
| <3.21.7>=4.0.0-alpha.1 <4.4.7 |
Cross-site Scripting (XSS)Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the NoScript component when untrusted input is interpolated into its slot content. An attacker can inject malicious HTML or scripts by supplying specially crafted data that is rendered unescaped in the server-generated HTML, potentially leading to execution of arbitrary code in the user's browser.
How to fix Cross-site Scripting (XSS)? Upgrade nuxt to version 3.21.7, 4.4.7 or higher.
| <3.21.7>=4.0.0-alpha.1 <4.4.7 |
Incorrect Default PermissionsAffected versions of this package are vulnerable to Incorrect Default Permissions via the module and resolve request types in the internal IPC server. An attacker can access sensitive files and secrets by connecting to the world-accessible abstract-namespace Unix socket and issuing crafted requests.
Note: This is only exploitable if the development server is running on a shared multi-tenant Linux host outside of containerized or isolated environments.
How to fix Incorrect Default Permissions? Upgrade nuxt to version 3.21.7, 4.4.7 or higher.
| >=3.18.0 <3.21.7>=4.0.0-alpha.1 <4.4.7 |
Open RedirectAffected versions of this package are vulnerable to Open Redirect via improper handling of URLs in the navigateTo function. An attacker can execute arbitrary scripts or redirect users to malicious sites by supplying crafted URLs that exploit path normalization and protocol-relative bypasses.
How to fix Open Redirect? Upgrade nuxt to version 3.21.7, 4.4.7 or higher.
| <3.21.7>=4.0.0-alpha.1 <4.4.7 |
Improper Handling of Case SensitivityAffected versions of this package are vulnerable to Improper Handling of Case Sensitivity through the getRouteRules function in the route rules matcher. An attacker can evade prerender, SSR, or redirect rules by sending a request with a path that uses different letter casing from the configured route rule. This causes the application to serve content without applying the intended route-specific restrictions, potentially exposing pages that should be redirected or rendered differently.
Notes
routeRules lookups are used from both the page-router plugin and the no-pages router plugin, so the mismatch can affect SSR and client-side navigations alike, rather than only one rendering path.
- The bypass is limited to deployments that rely on
routeRules.appMiddleware for access control; page-level middleware declared with definePageMeta({ middleware }) is bound to the matched route record and is not part of this issue.
Workarounds
- Set
router.options.sensitive = true so vue-router matches paths case-sensitively, preventing attackers from bypassing route rules by changing the case of a protected URL.
How to fix Improper Handling of Case Sensitivity? Upgrade nuxt to version 3.21.7, 4.4.7 or higher.
| >=3.11.0 <3.21.7>=4.0.0-alpha.1 <4.4.7 |
Cross-site Scripting (XSS)Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the NuxtLink href when attacker-controlled input is bound to the to or href properties. An attacker can execute arbitrary scripts in the context of the application by supplying a crafted javascript: or data: URL, which is reflected into the rendered markup and executed when a user clicks the link. This also exposes a phishing surface by allowing data URLs to be reflected through the same sink, enabling deceptive links anchored to legitimate application content.
How to fix Cross-site Scripting (XSS)? Upgrade nuxt to version 3.21.7, 4.4.7 or higher.
| |
Authentication Bypass Using an Alternate Path or ChannelAffected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel in the route middleware. An attacker can gain unauthorized access to server-rendered page content by directly requesting the /__nuxt_island/page_* endpoint, bypassing authentication or authorization checks enforced solely through route middleware.
Note: This is only exploitable if experimental.componentIslands is enabled, the application defines one or more .server.vue files under pages/, and authentication or authorization for at least one such page is enforced solely via route middleware without a server-side check inside the page or its data layer.
How to fix Authentication Bypass Using an Alternate Path or Channel? Upgrade nuxt to version 3.21.6, 4.4.6 or higher.
| >=3.11.0 <3.21.6>=4.0.0-alpha.1 <4.4.6 |
HTTP Request SmugglingAffected versions of this package are vulnerable to HTTP Request Smuggling via the __nuxt_island endpoint when responses are not properly bound to request props, allowing shared-cache poisoning. An attacker can cause users to receive attacker-controlled HTML by priming a shared cache with crafted requests, potentially leading to script execution if unsafe HTML sinks are present in application-authored islands.
Note: This is only exploitable if a shared intermediary cache (such as a CDN or reverse-proxy) keys /__nuxt_island/* requests on the path only, and if an island component passes untrusted props into an unsafe HTML sink.
How to fix HTTP Request Smuggling? Upgrade nuxt to version 3.21.6, 4.4.6 or higher.
| >=3.1.0 <3.21.6>=4.0.0-alpha.1 <4.4.6 |
Cross-site Scripting (XSS)Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the navigateTo function when handling external redirects in server-side rendering. An attacker can execute arbitrary HTML or JavaScript in the application's origin by supplying a crafted URL containing characters such as > that break out of the HTML attribute context and inject malicious code. This occurs before the meta-refresh redirect is triggered, allowing the injected script to run in the user's browser.
How to fix Cross-site Scripting (XSS)? Upgrade nuxt to version 3.21.6, 4.4.6 or higher.
| >=3.4.3 <3.21.6>=4.0.0-alpha.1 <4.4.6 |