nuxt@3.21.6

Nuxt is a free and open-source framework with an intuitive and extendable way to create type-safe, performant and production-grade full-stack web applications and websites with Vue.js.

  • latest version

    4.4.8

  • latest non vulnerable version

  • first published

    9 years ago

  • latest version published

    26 days ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the nuxt package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • C
    Cross-site Scripting (XSS)

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the navigateTo open option. An attacker can execute arbitrary scripts in the application's origin by supplying a crafted open parameter containing a script-capable URL.

    How to fix Cross-site Scripting (XSS)?

    Upgrade nuxt to version 3.21.7, 4.4.7 or higher.

    <3.21.7>=4.0.0-alpha.1 <4.4.7
    • C
    Open Redirect

    Affected versions of this package are vulnerable to Open Redirect via the reloadNuxtApp() function. An attacker can redirect users to attacker-controlled hosts by injecting protocol-relative paths such as //evil.com, potentially enabling phishing attacks or theft of OAuth authorization codes.

    How to fix Open Redirect?

    Upgrade nuxt to version 3.21.7, 4.4.7 or higher.

    <3.21.7>=4.0.0-alpha.1 <4.4.7
    • L
    Cross-site Scripting (XSS)

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the NoScript component when untrusted input is interpolated into its slot content. An attacker can inject malicious HTML or scripts by supplying specially crafted data that is rendered unescaped in the server-generated HTML, potentially leading to execution of arbitrary code in the user's browser.

    How to fix Cross-site Scripting (XSS)?

    Upgrade nuxt to version 3.21.7, 4.4.7 or higher.

    <3.21.7>=4.0.0-alpha.1 <4.4.7
    • M
    Incorrect Default Permissions

    Affected versions of this package are vulnerable to Incorrect Default Permissions via the module and resolve request types in the internal IPC server. An attacker can access sensitive files and secrets by connecting to the world-accessible abstract-namespace Unix socket and issuing crafted requests.

    Note: This is only exploitable if the development server is running on a shared multi-tenant Linux host outside of containerized or isolated environments.

    How to fix Incorrect Default Permissions?

    Upgrade nuxt to version 3.21.7, 4.4.7 or higher.

    >=3.18.0 <3.21.7>=4.0.0-alpha.1 <4.4.7
    • C
    Open Redirect

    Affected versions of this package are vulnerable to Open Redirect via improper handling of URLs in the navigateTo function. An attacker can execute arbitrary scripts or redirect users to malicious sites by supplying crafted URLs that exploit path normalization and protocol-relative bypasses.

    How to fix Open Redirect?

    Upgrade nuxt to version 3.21.7, 4.4.7 or higher.

    <3.21.7>=4.0.0-alpha.1 <4.4.7
    • M
    Improper Handling of Case Sensitivity

    Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity through the getRouteRules function in the route rules matcher. An attacker can evade prerender, SSR, or redirect rules by sending a request with a path that uses different letter casing from the configured route rule. This causes the application to serve content without applying the intended route-specific restrictions, potentially exposing pages that should be redirected or rendered differently.

    Notes

    • routeRules lookups are used from both the page-router plugin and the no-pages router plugin, so the mismatch can affect SSR and client-side navigations alike, rather than only one rendering path.
    • The bypass is limited to deployments that rely on routeRules.appMiddleware for access control; page-level middleware declared with definePageMeta({ middleware }) is bound to the matched route record and is not part of this issue.

    Workarounds

    • Set router.options.sensitive = true so vue-router matches paths case-sensitively, preventing attackers from bypassing route rules by changing the case of a protected URL.

    How to fix Improper Handling of Case Sensitivity?

    Upgrade nuxt to version 3.21.7, 4.4.7 or higher.

    >=3.11.0 <3.21.7>=4.0.0-alpha.1 <4.4.7
    • M
    Cross-site Scripting (XSS)

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the NuxtLink href when attacker-controlled input is bound to the to or href properties. An attacker can execute arbitrary scripts in the context of the application by supplying a crafted javascript: or data: URL, which is reflected into the rendered markup and executed when a user clicks the link. This also exposes a phishing surface by allowing data URLs to be reflected through the same sink, enabling deceptive links anchored to legitimate application content.

    How to fix Cross-site Scripting (XSS)?

    Upgrade nuxt to version 3.21.7, 4.4.7 or higher.

    <3.21.7>=4.0.0-0 <4.4.7