CVE-2025-59414 — Path Traversal in Nuxt

CWE-22 — Path Traversal3 documents3 sources

Severity

3.1LOWNVD

EPSS

0.1%

top 83.87%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nuxt

Timeline

PublishedSep 17

Description

Nuxt is an open-source web development framework for Vue.js. Prior to 3.19.0 and 4.1.0, A client-side path traversal vulnerability in Nuxt's Island payload revival mechanism allowed attackers to manipulate client-side requests to different endpoints within the same application domain when specific prerendering conditions are met. The vulnerability occurs in the client-side payload revival process (revive-payload.client.ts) where Nuxt Islands are automatically fetched when encountering serialized…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:NExploitability: 1.6 | Impact: 1.4

Affected Packages3 packages

▶NVDnuxt/nuxt3.6.0 — 3.19.0+1

▶npmnuxt/nuxt3.6.0 — 3.19.0+1

▶CVEListV5nuxt/nuxt>= 3.6.0 < 3.19.0, >= 4.0.0 < 4.1.0+1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Nuxt has Client-Side Path Traversal in Nuxt Island Payload Revival↗2025-09-17

▶

GHSA

Nuxt has Client-Side Path Traversal in Nuxt Island Payload Revival↗2025-09-17

▶