Open Redirect Affecting nuxt package, versions <3.21.7>=4.0.0-alpha.1 <4.4.7
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-NUXT-17353894
- published17 Jun 2026
- disclosed16 Jun 2026
- creditcleverlabs
Introduced: 16 Jun 2026
New CVE NOT AVAILABLE CWE-601 (opens in a new tab)How to fix?
Upgrade nuxt to version 3.21.7, 4.4.7 or higher.
Overview
Affected versions of this package are vulnerable to Open Redirect via improper handling of URLs in the navigateTo and reloadNuxtApp functions. An attacker can execute arbitrary scripts or redirect users to malicious sites by supplying crafted URLs that exploit path normalization and protocol-relative bypasses.
Workaround
This vulnerability can be mitigated by validating redirect targets before passing them to navigation functions, such as rejecting inputs where the normalized pathname starts with //, or only accepting a known allow-list of paths. Additionally, reject any user-controlled URL whose protocol is not in an allow-list (typically just http: and https:) before passing it to navigation functions.