HTTP Request Smuggling Affecting nuxt package, versions >=3.1.0 <3.21.6>=4.0.0-alpha.1 <4.4.6
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-NUXT-16770418
- published20 May 2026
- disclosed19 May 2026
- creditmk0
Introduced: 19 May 2026
NewCVE-2026-46342 (opens in a new tab)How to fix?
Upgrade nuxt to version 3.21.6, 4.4.6 or higher.
Overview
Affected versions of this package are vulnerable to HTTP Request Smuggling via the __nuxt_island endpoint when responses are not properly bound to request props, allowing shared-cache poisoning. An attacker can cause users to receive attacker-controlled HTML by priming a shared cache with crafted requests, potentially leading to script execution if unsafe HTML sinks are present in application-authored islands.
Note: This is only exploitable if a shared intermediary cache (such as a CDN or reverse-proxy) keys /__nuxt_island/* requests on the path only, and if an island component passes untrusted props into an unsafe HTML sink.
Workaround
This vulnerability can be mitigated by configuring intermediary caches to key /__nuxt_island/* on the full query string, and by auditing island components to ensure props do not flow into unsafe HTML sinks such as v-html or innerHTML.