nuxt
35 known vulnerabilities · 1 critical · 0 high
Nuxt: Reflected XSS in `navigateTo()` external redirect
Nuxt's route middleware is not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*`
Nuxt: Dev server discloses project absolute path and persistent workspace UUID via `/.well-known/appspecific/com.chrome.devtools.json`
Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning
Nuxt dev server vite-node IPC socket is world-connectable on Linux
Nuxt: Reflected XSS in `<NuxtLink>` via unsanitised `javascript:` or `data:` URL
Nuxt: URL-handling weaknesses in `navigateTo` and `reloadNuxtApp`: SSR open redirect, client-side script execution via the `open` option, and protocol-relative bypass in `reloadNuxtApp`
Nuxt: Route-rule middleware bypass via case-sensitivity mismatch between vue-router and the routeRules matcher
Cross-site scripting via <NoScript> slot content in Nuxt's head components
Malicious code in better-auth-nuxt (npm)
nuxt-og-image SSRF — bypass of GHSA-pqhr-mp3f-hrpp / v6.2.5 fix (IPv6 + redirect)
Malicious code in @livecms/nuxt-live-edit (npm)
Nuxt OG Image vulnerable to Server-Side Request Forgery via user-controlled parameters
Malicious code in @lui-ui/lui-nuxt (npm)
Malicious code in @huntersofbook/core-nuxt (npm)
Nuxt OG Image is vulnerable to Denial of Service via unbounded image dimensions
Nuxt OG Image is vulnerable to reflected XSS via query parameter injection into HTML attributes
Malicious code in @opposhop/nuxt-ssr-cache (npm)
@nuxtlabs/github-module made Use of Hard-coded Credentials
Opening a malicious website while running a Nuxt dev server could allow read-only access to code
Malicious code in @oku-ui/primitives-nuxt (npm)
Malicious code in @posthog/nuxt (npm)
Malicious code in @hrb-web/nuxt (npm)
Malicious code in @shwfed/nuxt (npm)
Malicious code in frontegg-nuxt-example (npm)
Malicious code in @alexcolls/nuxt-socket.io (npm)
Malicious code in vue-browserupdate-nuxt (npm)
Nuxt: Dev server exposes built source over LAN to malicious sites (incomplete fix for GHSA-4gf7-ff8x-hq99)
@nuxt/webpack-builder and @nuxt/rspack-builder dev server same-origin check bypassed when Sec-Fetch-Site, Origin, and Referer are all absent (incomplete fix for GHSA-6m52-m754-pw2g)
Malicious code in @alexcolls/nuxt-ux (npm)
Malicious code in @oku-ui/motion-nuxt (npm)
Malicious code in @pergel/nuxt (npm)
Malicious code in nuxt-keycloak (npm)