Server-side Request Forgery (SSRF) in nuxt-og-image

Q: How to fix?

Upgrade nuxt-og-image to version 6.2.5 or higher.

Introduced: 31 Mar 2026

How to fix?

Upgrade nuxt-og-image to version 6.2.5 or higher.

Overview

nuxt-og-image is an Enlightened OG Image generation for Nuxt.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via user-controlled parameters in the /_og/d/ endpoint. An attacker can access internal network resources or sensitive data by injecting crafted URLs through parameters such as style or html. This may allow scanning of internal ports and services, or reading sensitive data from cloud infrastructure metadata services when verbose error output is enabled.

References

GitHub Advisory
GitHub Commit
GitHub PR

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
Low
Integrity (VI)
None
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Server-side Request Forgery (SSRF) Affecting nuxt-og-image package, versions <6.2.5

Severity

Do your applications use this vulnerable package?

Snyk Learn

Introduced: 31 Mar 2026

How to fix?

Overview

References

CVSS Base Scores

Snyk