Nuxt vulnerabilities

CVE-2025-59414 [LOW] CWE-22 CVE-2025-59414: Nuxt is an open-source web development framework for Vue.js. Prior to 3.19.0 and 4.1.0, A client-sid Nuxt is an open-source web development framework for Vue.js. Prior to 3.19.0 and 4.1.0, A client-side path traversal vulnerability in Nuxt's Island payload revival mechanism allowed attackers to manipulate client-side requests to different endpoints within the same application domain when specific prerendering conditions are met. The vulnerability occur

CVE-2025-27415 [HIGH] CWE-349 CVE-2025-27415: Nuxt is an open-source web development framework for Vue.js. Prior to 3.16.0, by sending a crafted H Nuxt is an open-source web development framework for Vue.js. Prior to 3.16.0, by sending a crafted HTTP request to a server behind an CDN, it is possible in some circumstances to poison the CDN cache and highly impacts the availability of a site. It is possible to craft a request, such as https://mysite.com/?/_payload.json which will be rendered as JS

CVE-2025-24361 [MEDIUM] CWE-749 CVE-2025-24361: Nuxt is an open-source web development framework for Vue.js. Source code may be stolen during dev wh Nuxt is an open-source web development framework for Vue.js. Source code may be stolen during dev when using version 3.0.0 through 3.15.12 of the webpack builder or version 3.12.2 through 3.152 of the rspack builder and a victim opens a malicious web site. Because the request for classic script by a script tag is not subject to same origin policy, a

CVE-2025-24360 [MEDIUM] CWE-200 CVE-2025-24360: Nuxt is an open-source web development framework for Vue.js. Starting in version 3.8.1 and prior to Nuxt is an open-source web development framework for Vue.js. Starting in version 3.8.1 and prior to version 3.15.3, Nuxt allows any websites to send any requests to the development server and read the response due to default CORS settings. Users with the default server.cors option using Vite builder may get the source code stolen by malicious website

CVE-2024-34344 [HIGH] CWE-94 CVE-2024-34344: Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. Due to the insufficient validation of the `path` parameter in the NuxtTestComponentWrapper, an attacker can execute arbitrary JavaScript on the server side, which allows them to execute arbitrary commands. Users who open a malicious web page in the

CVE-2024-42352 [HIGH] CWE-918 CVE-2024-42352: Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. `nuxt/icon` provides an API to allow client side icon lookup. This endpoint is at `/api/_nuxt_icon/[name]`. The proxied request path is improperly parsed, allowing an attacker to change the scheme and host of the request. This leads to SSRF, and co

CVE-2024-23657 [HIGH] CWE-22 CVE-2024-23657: Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. Nuxt Devtools is missing authentication on the `getTextAssetContent` RPC function which is vulnerable to path traversal. Combined with a lack of Origin checks on the WebSocket handler, an attacker is able to interact with a locally running devtools

CVE-2024-34343 [MEDIUM] CWE-79 CVE-2024-34343: Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. The `navigateTo` function attempts to blockthe `javascript:` protocol, but does not correctly use API's provided by `unjs/ufo`. This library also contains parsing discrepancies. The function first tests to see if the specified URL has a protocol.

CVE-2023-3224 [CRITICAL] CWE-94 CVE-2023-3224: Code Injection in GitHub repository nuxt/nuxt prior to 3.5.3. Code Injection in GitHub repository nuxt/nuxt prior to 3.5.3.

CVE-2023-0878 [MEDIUM] CWE-79 CVE-2023-0878: Cross-site Scripting (XSS) - Generic in GitHub repository nuxt/framework prior to 3.2.1. Cross-site Scripting (XSS) - Generic in GitHub repository nuxt/framework prior to 3.2.1.