CVE-2024-34344 — Code Injection in Nuxt

CWE-94 — Code Injection CWE-706 — Use of Incorrectly-Resolved Name or Reference3 documents3 sources

Severity

8.8HIGHNVD

EPSS

1.3%

top 20.13%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nuxt

Timeline

PublishedAug 5

Description

Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. Due to the insufficient validation of the `path` parameter in the NuxtTestComponentWrapper, an attacker can execute arbitrary JavaScript on the server side, which allows them to execute arbitrary commands. Users who open a malicious web page in the browser while running the test locally are affected by this vulnerability, which results in the remote code execution from the malicious web page.…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶NVDnuxt/nuxt3.4.0 — 3.12.4

▶npmnuxt/nuxt3.4.0 — 3.12.4

▶CVEListV5nuxt/nuxt>= 3.4.0 < 3.12.4

🔴Vulnerability Details

GHSA

Nuxt vulnerable to remote code execution via the browser when running the test locally↗2024-08-05

▶

OSV

Nuxt vulnerable to remote code execution via the browser when running the test locally↗2024-08-05

▶