Skip to content

chore(deps): update dependency nuxt to v3.21.7 [security]#115

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-nuxt-vulnerability
Open

chore(deps): update dependency nuxt to v3.21.7 [security]#115
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-nuxt-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Aug 5, 2024

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
nuxt (source) 3.8.13.21.7 age confidence
nuxt (source) ^3.8.1^3.21.7 age confidence

Nuxt vulnerable to remote code execution via the browser when running the test locally

CVE-2024-34344 / GHSA-v784-fjjh-f8r4

More information

Details

Summary

Due to the insufficient validation of the path parameter in the NuxtTestComponentWrapper, an attacker can execute arbitrary JavaScript on the server side, which allows them to execute arbitrary commands.

Details

While running the test, a special component named NuxtTestComponentWrapper is available.
https://github.com/nuxt/nuxt/blob/4779f5906fa4d3c784c2e2d6fe5a5c5f181faaec/packages/nuxt/src/app/components/nuxt-root.vue#L42-L43

This component loads the specified path as a component and renders it.

https://github.com/nuxt/nuxt/blob/4779f5906fa4d3c784c2e2d6fe5a5c5f181faaec/packages/nuxt/src/app/components/test-component-wrapper.ts#L9-L27

There is a validation for the path parameter to check whether the path traversal is performed, but this check is not sufficient.

https://github.com/nuxt/nuxt/blob/4779f5906fa4d3c784c2e2d6fe5a5c5f181faaec/packages/nuxt/src/app/components/test-component-wrapper.ts#L15-L19

Since import(...) uses query.path instead of the normalized path, a non-normalized URL can reach the import(...) function.
For example, passing something like ./components/test normalizes path to /root/directory/components/test, but import(...) still receives ./components/test.

By using this behavior, it's possible to load arbitrary JavaScript by using the path like the following:

data:text/javascript;base64,Y29uc29sZS5sb2coMSk

Since resolve(...) resolves the filesystem path, not the URI, the above URI is treated as a relative path, but import(...) sees it as an absolute URI, and loads it as a JavaScript.

PoC
  1. Create a nuxt project and run it in the test mode:
npx nuxi@latest init test
cd test
TEST=true npm run dev
  1. Open the following URL:
http://localhost:3000/__nuxt_component_test__/?path=data%3Atext%2Fjavascript%3Bbase64%2CKGF3YWl0IGltcG9ydCgnZnMnKSkud3JpdGVGaWxlU3luYygnL3RtcC90ZXN0JywgKGF3YWl0IGltcG9ydCgnY2hpbGRfcHJvY2VzcycpKS5zcGF3blN5bmMoIndob2FtaSIpLnN0ZG91dCwgJ3V0Zi04Jyk
  1. Confirm that the output of whoami is written to /tmp/test

Demonstration video: https://www.youtube.com/watch?v=FI6mN8WbcE4

Impact

Users who open a malicious web page in the browser while running the test locally are affected by this vulnerability, which results in the remote code execution from the malicious web page.
Since web pages can send requests to arbitrary addresses, a malicious web page can repeatedly try to exploit this vulnerability, which then triggers the exploit when the test server starts.

Severity

  • CVSS Score: 9.2 / 10 (Critical)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


nuxt vulnerable to Cross-site Scripting in navigateTo if used after SSR

CVE-2024-34343 / GHSA-vf6r-87q4-2vjf

More information

Details

Summary

The navigateTo function attempts to blockthe javascript: protocol, but does not correctly use API's provided by unjs/ufo. This library also contains parsing discrepancies.

Details

The function first tests to see if the specified URL has a protocol. This uses the unjs/ufo package for URL parsing. This function works effectively, and returns true for a javascript: protocol.

After this, the URL is parsed using the parseURL function. This function will refuse to parse poorly formatted URLs. Parsing javascript:alert(1) returns null/"" for all values.

Next, the protocol of the URL is then checked using the isScriptProtocol function. This function simply checks the input against a list of protocols, and does not perform any parsing.

The combination of refusing to parse poorly formatted URLs, and not performing additional parsing means that script checks fail as no protocol can be found. Even if a protocol was identified, whitespace is not stripped in the parseURL implementation, bypassing the isScriptProtocol checks.

Certain special protocols are identified at the top of parseURL. Inserting a newline or tab into this sequence will block the special protocol check, and bypass the latter checks.

PoC

POC - https://stackblitz.com/edit/nuxt-xss-navigateto?file=app.vue

Attempt payload X, then attempt payload Y.

Impact

XSS, access to cookies, make requests on user's behalf.

Recommendations

As always with these bugs, the URL constructor provided by the browser is always the safest method of parsing a URL.

Given the cross-platform requirements of nuxt/ufo a more appropriate solution is to make parsing consistent between functions, and to adapt parsing to be more consistent with the WHATWG URL specification.

Note

I've reported this vulnerability here as it is unclear if this is a bug in ufo or a misuse of the ufo library.

This ONLY has impact after SSR has occurred, the javascript: protocol within a location header does not trigger XSS.

Severity

  • CVSS Score: 5.1 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Nuxt allows DOS via cache poisoning with payload rendering response

CVE-2025-27415 / GHSA-jvhm-gjrh-3h93

More information

Details

Summary

By sending a crafted HTTP request to a server behind an CDN, it is possible in some circumstances to poison the CDN cache and highly impacts the availability of a site.

It is possible to craft a request, such as https://mysite.com/?/_payload.json which will be rendered as JSON. If the CDN in front of a Nuxt site ignores the query string when determining whether to cache a route, then this JSON response could be served to future visitors to the site.

Impact

An attacker can perform this attack to a vulnerable site in order to make a site unavailable indefinitely. It is also possible in the case where the cache will be reset to make a small script to send a request each X seconds (=caching duration) so that the cache is permanently poisoned making the site completely unavailable.

Conclusion :

This is similar to a vulnerability in Next.js that resulted in CVE-2024-46982 (and see this article, in particular the "Internal URL parameter and pageProps" part, the latter being very similar to the one concerning us here.)

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Nuxt has Client-Side Path Traversal in Nuxt Island Payload Revival

CVE-2025-59414 / GHSA-p6jq-8vc4-79f6

More information

Details

Summary

A client-side path traversal vulnerability in Nuxt's Island payload revival mechanism allowed attackers to manipulate client-side requests to different endpoints within the same application domain when specific prerendering conditions are met.

Technical Details

The vulnerability occurs in the client-side payload revival process (revive-payload.client.ts) where Nuxt Islands are automatically fetched when encountering serialized __nuxt_island objects. The issue affects the following flow:

  1. During prerendering, if an API endpoint returns user-controlled data containing a crafted __nuxt_island object
  2. This data gets serialized with devalue.stringify and stored in the prerendered page
  3. When a client navigates to the prerendered page, devalue.parse deserializes the payload
  4. The Island reviver attempts to fetch /__nuxt_island/${key}.json where key could contain path traversal sequences
Prerequisites for Exploitation

This vulnerability requires all of the following conditions:

  1. Prerendered pages: The application must use Nuxt's prerendering feature (nitro.prerender)
  2. Attacker-controlled API responses: The attacker must be able to control the response content of an API endpoint that is called during prerendering via useFetch, useAsyncData, or similar composables
  3. Client-side navigation: A user must navigate to the prerendered page (not during initial SSR hydration)
Attack Scenario
// Malicious API response during prerendering
{
  "__nuxt_island": {
    "key": "../../../../internal/service",
    "params": { "action": "probe" }
  }
}

This could cause the client to make requests to /__nuxt_island/../../../../internal/service.json if path traversal is not properly handled by the server.

Impact Assessment
  • Limited Impact: The vulnerability has a low severity due to the highly specific prerequisites
  • No Direct Data Exfiltration: The vulnerability does not directly expose sensitive data
  • Client-Side Only: Requests originate from the client, not the server
Mitigation

Action Required:

  • Update to Nuxt 3.19.0+ or 4.1.0+ immediately
  • Review any prerendered pages that fetch external or user-controlled data

Temporary Workarounds (if immediate update is not possible):

  1. Disable prerendering for pages that fetch user-controlled data
  2. Implement strict input validation on API endpoints used during prerendering
  3. Use allowlists for API response structures during prerendering
Fix Details

The fix implemented validation for Island keys in revive-payload.server.ts:

  • Island keys must match the pattern /^[a-z][a-z\d-]*_[a-z\d]+$/i
  • Maximum length of 100 characters
  • Prevents path traversal and special characters

Severity

  • CVSS Score: 3.1 / 10 (Low)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Nuxt: Reflected XSS in navigateTo() external redirect

CVE-2026-45669 / GHSA-fx6j-w5w5-h468

More information

Details

Summary

navigateTo() with external: true generates a server-side HTML redirect body containing a <meta http-equiv="refresh"> tag. The destination URL is only sanitized by replacing " with %22, leaving <, >, &, and ' unencoded. An attacker who can influence the URL passed to navigateTo(url, { external: true }) can break out of the content="…" attribute and inject arbitrary HTML/JavaScript that executes under the application's origin.

This is a different root cause from CVE-2024-34343 (GHSA-vf6r-87q4-2vjf), which addressed javascript: protocol bypass. The issue here is triggered by any valid URL containing >.

Impact

Applications that pass user-controlled input to navigateTo(url, { external: true }) — typically via a ?next= / ?redirect= query parameter used for post-login or "return to" flows — are vulnerable to reflected cross-site scripting. The injected script runs in the context of the application's origin during the server-rendered redirect response, before the meta-refresh fires.

Details

In packages/nuxt/src/app/composables/router.ts, the SSR redirect path builds an HTML response body with only " percent-encoded in the destination URL:

const encodedLoc = location.replace(/"/g, '%22')
nuxtApp.ssrContext!['~renderResponse'] = {
status: sanitizeStatusCode(options?.redirectCode || 302, 302),
body: `<!DOCTYPE html><html><head><meta http-equiv="refresh" content="0; url=${encodedLoc}"></head></html>`,
headers: { location: encodeURL(location, isExternalHost) },
}

The Location header is normalised through encodeURL() (which uses the URL constructor and correctly percent-encodes attribute-significant characters). The HTML body uses a narrower sanitiser. That mismatch is the root cause.

Proof of concept

Global middleware that forwards a query parameter to navigateTo:

// middleware/redirect.global.ts
export default defineNuxtRouteMiddleware((to) => {
const next = to.query.next as string | undefined
if (next) {
 return navigateTo(next, { external: true })
}
})

Request:

GET /?next=https://evil.example/x><img src=x onerror=alert(document.domain)>

Response body:

<!DOCTYPE html><html><head><meta http-equiv="refresh" content="0; url=https://evil.example/x><img src=x onerror=alert(document.domain)>"></head></html>

The > after evil.example/x terminates the content="…" attribute, and the <img onerror> tag executes JavaScript in the application's origin before any redirect
occurs.

Patches

Fixed in nuxt@4.4.6 and nuxt@3.21.6 by #​35052. The fix percent-encodes the full set of HTML-attribute-significant characters (&, ", ', <, >) before interpolating the URL into the meta-refresh body

Workarounds

If you can't upgrade immediately, validate user-controlled URLs before passing them to navigateTo(url, { external: true }). At minimum, normalise through new URL(input).toString() and reject inputs containing < or > (a normalised URL with these characters is malformed and safe to refuse).

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Nuxt: __nuxt_island endpoint does not bind responses to request props, enabling shared-cache poisoning

CVE-2026-46342 / GHSA-g8wj-3cr3-6w7v

More information

Details

Summary

The /__nuxt_island/* endpoint accepts attacker-controlled props query/body parameters and renders any island component without verifying that the URL-resident hash (<Name>_<hashId>.json) was actually issued for those inputs by <NuxtIsland>. The hash is computed and embedded client-side but never validated server-side, so the same path can return materially different responses depending on the query.

Island components are documented as rendering independently of route context - page middleware does not apply to them, and they are intentionally cacheable as a function of their props. This advisory does not treat that contract as a vulnerability. It treats the absence of a binding between the URL the cache keys on and the response served at that URL as one.

Impact

In applications where a CDN or reverse-proxy in front of the app caches /__nuxt_island/* keyed by path only (ignoring query) - a documented misconfiguration class, see GHSA-jvhm-gjrh-3h93 - an attacker can prime the cache for a path with their own choice of props, and subsequent users requesting the same path receive the attacker's rendered HTML rather than the response intended for them. The cache entry persists until normal expiry.

Where the affected island has any prop flowing into an unsafe HTML sink in application code (v-html, innerHTML, a third-party renderer treating a prop as HTML), this becomes stored XSS in the embedding page's origin until the cache entry expires. HttpOnly cookies remain out of reach but anything else in the origin (other cookies, in-origin requests, DOM state) is reachable by the injected script.

Preconditions:

  • experimental.componentIslands enabled (or the default 'auto' with at least one server / island component in the app).
  • A shared intermediary cache (CDN, reverse-proxy, edge cache) keyed on path only.
  • For the XSS pivot specifically: an application-authored island that puts a prop through an unsafe HTML sink.

Without the second precondition, the response shape is per-request and unaffected. Without the third, the worst case is content-swap / inert HTML injection rather than script execution.

Patches

Patched in nuxt@4.4.6 and nuxt@3.21.6 by #​35077. The island handler now recomputes the expected hashId from (name, props, context) using the same ohash function <NuxtIsland> already uses to embed the hash in the URL, and rejects requests (HTTP 400) whose URL-resident hash does not match. The response is now a pure function of the request path: a path-keyed shared cache returns the correct response to every requester for that path, and an attacker cannot synthesise a path whose hash matches arbitrary props.

Workarounds

For users unable to upgrade immediately:

  • Ensure any intermediary cache keys /__nuxt_island/* on the full query string, not on the path alone. This is the recommended configuration regardless.
  • Audit application-authored islands for props flowing into v-html / innerHTML / similar HTML sinks; treat island props as untrusted user input.
Note on island authentication

[!IMPORTANT]
It's important to remember that route middleware does not run when rendering island components, and islands cannot rely on routing-layer auth. Applications gating sensitive data behind page middleware should enforce that auth inside the island's own data layer (server-only routes, useRequestEvent + manual session checks, etc.) rather than relying on the embedding page's middleware - this was true before this advisory and remains true after it.

A separate advisory addresses *.server.vue pages registered as page_<routeName> islands, where the documented "middleware doesn't run for islands" contract collides with the page's own definePageMeta({ middleware }) declaration in a way that constitutes a genuine bug rather than documented behaviour.

Severity

  • CVSS Score: 2.3 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Nuxt: URL-handling weaknesses in navigateTo and reloadNuxtApp: SSR open redirect, client-side script execution via the open option, and protocol-relative bypass in reloadNuxtApp

CVE-2026-56326 / GHSA-c9cv-mq2m-ppp3

More information

Details

Summary

Three weaknesses in Nuxt's client-navigation URL handling, all reachable
from documented public APIs (navigateTo and reloadNuxtApp):

  1. SSR open redirect in navigateTo via path-normalisation bypass.
    navigateTo decided whether a target was external by inspecting the raw
    input with hasProtocol(..., { acceptRelative: true }). Inputs such as
    /..//evil.com, /.//evil.com, /%2e%2e//evil.com, or
    /app/..//evil.com slipped past that check because they start with
    /, but WHATWG URL parsing then normalised them to the
    protocol-relative pathname //evil.com. The normalised value was
    written to the Location response header and into the
    <meta http-equiv="refresh"> body of the SSR redirect page, so a
    victim's browser would resolve the redirect cross-origin to the
    attacker's host.

  2. Client-side script execution via navigateTo({ open: ... }). The
    client-side early-open handler called window.open(toPath, ...) without
    applying the isScriptProtocol check that gates the normal navigateTo
    path. A target of javascript:... (or another script-capable scheme)
    passed to navigateTo(url, { open: { ... } }) therefore executed in the
    application's origin instead of being rejected.

  3. Open redirect in reloadNuxtApp via protocol-relative bypass.
    reloadNuxtApp({ path }) rejects script-capable protocols by parsing
    the path with new URL(path, window.location.href) and checking the
    resolved protocol against isScriptProtocol. Protocol-relative paths
    such as //evil.com resolve to the current page's protocol (https:),
    which passes that check; the value is then assigned to
    window.location.href, which the browser treats as a cross-origin
    redirect. This is the same protocol-relative bypass family as (1), in
    a different sink.

Impact

For (1), the practical risk is phishing or OAuth-code theft against any
Nuxt app that forwards user-controlled input (for example a ?next=
query parameter on a login route) into navigateTo on the server. The
framework documents that navigateTo blocks external hosts unless
external: true is passed, so maintainers commonly rely on it as the
safe path for post-login redirects.

For (2), any app that passes a user-controlled URL into
navigateTo(url, { open: { ... } }) was vulnerable to reflected XSS in
the application's first-party origin.

For (3), any app that forwards user-controlled input into
reloadNuxtApp({ path }) could be redirected cross-origin for phishing
or OAuth-code theft, even on releases that already shipped the
isScriptProtocol guard added by #​35115.

Patches

Fixed in nuxt@4.4.7 and backported to nuxt@3.21.7. The three sinks
are addressed by:

Workarounds
  • For (1): validate redirect targets before passing them to navigateTo,
    for example reject any input where
    new URL(target, 'http://localhost').pathname starts with //, or
    only accept a known allow-list of paths.
  • For (2): reject any user-controlled URL whose protocol is not in an
    allow-list (typically just http: and https:) before passing it to
    navigateTo({ open: ... }).
  • For (3): same shape as (1). Reject paths starting with // (or where
    new URL(path, window.location.href).host !== window.location.host)
    before passing to reloadNuxtApp({ path }).
References
  • CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Credits

Reported by Anthropic / Claude as ANT-2026-S08HN6DH through Anthropic's
coordinated vulnerability disclosure programme.

The reloadNuxtApp protocol-relative bypass (sink 3) was independently
reported by @​alcls01111 via GitHub's
coordinated disclosure flow (GHSA-w7fp-2cfv-4837), closed as a
duplicate of this advisory.

Severity

  • CVSS Score: 5.1 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:L/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Nuxt: Reflected XSS in <NuxtLink> via unsanitised javascript: or data: URL

CVE-2026-53722 / GHSA-934w-87qh-qr26

More information

Details

Summary

<NuxtLink> did not validate the URL scheme of values bound to its to or href props before rendering them into the href attribute of the underlying <a> element. When an application binds attacker-controlled input (a query parameter, a CMS field, a user-supplied profile URL) to <NuxtLink :to> or :href, the attacker can supply a javascript: or vbscript: URL that is reflected verbatim into the rendered markup. Clicking the link executes the supplied script in the origin of the Nuxt application, resulting in reflected DOM-based cross-site scripting. A data:text/html,... payload reflected through the same sink does not execute in the application's origin but enables a same-tab phishing surface anchored to a legitimate application link.

The same value was exposed to consumers of the component's custom slot via the href and route.href props, so applications that re-bind those values to their own anchors were affected identically.

Unlike the previously reported navigateTo issue (CVE-2024-34343), the sink here is the rendered anchor itself; the existing isScriptProtocol checks in navigateTo and reloadNuxtApp are not on the code path. The onClick handler intentionally returns early for external links so the browser's native protocol-based navigation runs.

Affected component
  • File: packages/nuxt/src/app/components/nuxt-link.ts
  • Sink: h('a', { href: href.value, ... }) in the default render, plus the href / route.href props passed to the custom slot.
  • Broken check: external auto-detection treated any hasProtocol(path, { acceptRelative: true }) value as an "external link", then rendered the value directly as <a href> without rejecting script-capable protocols. There was no equivalent of the navigateTo isScriptProtocol(protocol) gate in this path.
Impact

Any Nuxt application that binds user-controlled values to <NuxtLink :to> / :href was vulnerable. Common shapes: profile-link rendering (<NuxtLink :to="user.website">), "share this" / "open in new tab" handlers that pass through a query parameter, CMS-driven landing pages that render <NuxtLink :to="cms.cta.url">, and marketplace listings that show seller-supplied links.

For javascript: / vbscript: the primitive is reflected XSS in the application's first-party origin (session theft for non-HttpOnly cookies, CSRF token theft, account takeover via DOM rewriting, credential harvesting via fake login overlays). For data:text/html,... the attacker gets a same-tab phishing surface anchored to a legitimate application link.

Patches

Fixed in nuxt@4.4.7 (commit 0103ce06) and backported to nuxt@3.21.7 (commit 53284043). The fix sanitises the resolved external href before it is passed to <a> or the custom slot: control characters and whitespace are stripped, leading view-source: prefixes are unwrapped, and any remaining script-capable scheme (per isScriptProtocol) causes the href to be replaced with an empty string.

Workarounds

Until you can upgrade, validate URLs at the source before binding them to <NuxtLink :to> / :href. For example, only accept paths that start with / (and not //), or run user-supplied URLs through new URL(value) and reject anything whose protocol is not in an allow-list (typically http: and https:).

Severity

  • CVSS Score: 5.1 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Cross-site scripting via slot content in Nuxt's head components

GHSA-m3q2-p4fw-w38m

More information

Details

Impact

Nuxt's globally registered <NoScript> component (from @unhead/vue head components, re-exported by Nuxt) wrote its default-slot content to the innerHTML of the <noscript> head tag, bypassing the HTML escaping that {{ }} interpolation normally applies in Vue templates.

Applications that placed untrusted, attacker-controllable data inside a <NoScript> slot, for example:

<NoScript>{{ route.query.banner }}</NoScript>

would emit that value unescaped inside <noscript> in the server-rendered HTML. With scripting enabled, the HTML parser treats <noscript> content in <head> under the "in head noscript" insertion mode: any tag other than link, meta, noframes, or style implicitly closes <noscript> and is re-processed in the head. A payload such as <script>...</script> therefore escapes the element and executes in the document context.

Sibling head components (<Style>, <Title>) were not affected because they already routed slot text through the safe textContent path.

Affected versions

All currently supported versions of nuxt that ship the <NoScript> global component.

Patches

Fixed in nuxt@4.4.7 (commit 4b054e9d) and backported to nuxt@3.21.7 (commit 7fea9fd6). The fix escapes <NoScript> slot content with escapeHtml from @vue/shared and writes it to textContent rather than innerHTML. Slot content is now rendered as text; intentional markup inside <NoScript> is no longer parsed as HTML.

Workarounds

Until you can upgrade:

  • Do not interpolate untrusted input into <NoScript> slots. Replace <NoScript>{{ x }}</NoScript> with a static string, or sanitise / HTML-escape x at the source.
  • If you must render dynamic noscript content, write the tag yourself via useHead({ noscript: [{ textContent: escapedValue }] }) after escaping escapedValue.
Credit

Reported to Anthropic's coordinated vulnerability disclosure pipeline by Claude (Anthropic's AI assistant) and triaged by the Anthropic security team. Reference: ANT-2026-4NJYDFFM.

Independently reported by @​alcls01111 via GitHub's coordinated disclosure flow (GHSA-8grp-wcq9-925q), closed as a duplicate of this advisory.

Severity

  • CVSS Score: 2.3 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

nuxt/nuxt (nuxt)

v3.21.7

Compare Source

3.21.7 is the a security hotfix release.

👉 make sure to check https://github.com/nuxt/nuxt/security/advisories to view open advisories resolved by this release.

👉 Changelog

compare changes

🩹 Fixes
  • nitro: Assign noSSR before deciding payload extraction (#​35108)
  • vite: Avoid filtering out dirs with shared prefix from allowDirs (#​35112)
  • nuxt: Use resolve from pathe for buildCache path boundary check (#​35111)
  • nuxt: Prevent sibling-directory traversal in test component wrapper (#​35110)
  • nitro: Pass event data to isValid in dev clipboard-copy listener (#​35109)
  • nuxt: Validate protocols in reloadNuxtApp path before reload (#​35115)
  • vite: Resolve vite clientServer with ssr: false (#​34959)
  • vite: Prefix public asset virtuals with null byte (38d330179)
  • nuxt: Handle missing payload in chunkError listener (#​35155)
  • vite: Close vite dev server on nuxt close (d007d7060)
  • kit,nuxt: Handle cancelling prompts to install packages (59821a5ca)
  • nuxt: Await in-lifght template generation when closing nuxt (#​35181)
  • webpack: Surface compilation errors when stats.toString is empty (71dccff2b)
  • kit: Improve TS extension stripping/substitutions (#​35233)
  • nuxt: Preserve .d.mts/.d.cts in resolveTypePaths (#​35235)
  • nuxt: Reject prototype-chain keys in the island registry (#​35205)
  • nitro: Gate chrome devtools workspace endpoint to local requests (#​35201)
  • nuxt: Escape props in <NuxtClientFallback> ssr output (#​35199)
  • nuxt: Apply isScriptProtocol guard to navigateTo open option (#​35206)
  • rspack,webpack: Require loopback host when missing same-origin signals (#​35200)
  • nuxt: Absolutely resolve defu in app config template (40bedf0db)
  • nuxt: Match route rules case-insensitively to mirror vue-router (3f3e3fa7b)
  • nuxt: Escape <NoScript> slot content (7fea9fd68)
  • nuxt: Block path-normalization open redirect in navigateTo (1f2dd5e78)
  • nuxt: Reject cross-origin paths in reloadNuxtApp (6497d99dd)
  • vite: Bind vite-node IPC to a permissioned filesystem socket (c293bf950)
  • nuxt: Reject script-capable protocols in <NuxtLink> href (53284043d)
  • nuxt: Clarify page and layout usage warnings (#​35184)
  • nuxt: Do not absolutely resolve defu (d11d7b1b5)
📖 Documentation
  • Edit for clarity and grammar (#​35214)
  • Add dedicated module dependencies page (#​35171)
🏡 Chore
  • Use execFileSync for safety in release scripts (9a455a658)
  • Assert there is always a tag (8da21fba8)
  • Fix type in test (bc2837125)
  • Fix lychee dynamic composable exclude (#​35119)
  • Add autofix action tag in comment (70eba297f)
  • Update renovate minimum release age (27a6821a1)
✅ Tests
  • Update test for js payload rendering (b51a80840)
  • Improve reliability of hmr test (0078499f0)
🤖 CI
  • Always run all tests for 4.x/3.x (0519c0ade)
  • Update to agentscan v1.8.0 (#​35120)
  • Automatically close PRs from automated accounts (#​35161)
  • Migrate from tibdex (6277aedcb)
  • Disable provenance-change enforcement in dependency-review (1d4910eed)
  • Add zizmor github actions check (#​35089)
❤️ Contributors

v3.21.6

Compare Source

3.21.6 is the next patch release.

👉 Changelog

compare changes

🩹 Fixes
  • nuxt: Prefer our own builder/server deps (#​35029)
  • nitro: Add json extension to payload cache items (#​35043)
  • nuxt: Handle errors fetching app manifest (#​35050)
  • nuxt: Preserve setPageLayout props on same-path navigation (#​35055)
  • vite: Don't strip buildAssetsDir from vite-node SSR ids (#​35040)
  • nuxt: Mark useLoadingIndicator properties as readonly (#​35062)
  • vite: Strip queries in css inline styles map (#​35067)
  • nuxt: Encode html-significant characters in external redirect body (#​35052)
  • nitro: Validate island request hash matches props (#​35077)
  • nitro: Use regexp to strip query (042b615e6)
  • nitro: Use statusCode for nitro v2 compatibility (82dcd6a31)
  • nuxt: Render component-less parent routes during client-side nav (#​35036)
  • nuxt: Run middleware for page islands (#​35092)
💅 Refactors
  • rspack,webpack: Extract same-origin check for dev middleware (#​35051)
📖 Documentation
  • Remove CSB, set node 22 and use steps for clarity (#​35066)
🏡 Chore
✅ Tests
  • Relax relative time assertion (256513eb0)
  • Move build assets dir fixture out of app/ (6d2ac69ff)
🤖 CI
❤️ Contributors

v3.21.5

Compare Source

3.21.5 is the next patch release.

👉 Changelog

compare changes

🔥 Performance
  • kit: Cache layer roots and short-circuit isIgnored relative (#​35015)
🩹 Fixes
  • nitro: Correct payload route rule for / + override ssr: true (#​34990)
  • nitro: Break recursive rendering deadlocks during prerender (#​34939)
  • vite: Drop redundant css link when entry styles are inlined (#​34950)
  • nuxt: Only force suspense remount after first resolve (#​34949)
  • kit: Read .env before resolving nuxt schema (#​34958)
  • nitro: Preserve serverHandlers array after nitro:config (#​34985)
  • vite: Only consider CSS inlined when styles are actually emitted (#​35006)
  • nuxt: Handle string presets in auto-imports (#​35013)
  • nuxt: Correct island transform for server pages and 'deep' mode (#​35005)
  • vite: Inline css for non-island children of server components (#​35001)
  • nuxt: Defer head DOM updates until page transition finishes (#​35016)
  • nuxt: Explicitly freeze head during island plugin phase (#​35010)
  • vite: Inline css imported from non-vue js modules (#​35020)
  • nitro: Remove unused middleware (fe857d36b)
📖 Documentation
  • Add warning about routing in server components (#​34994)
🏡 Chore
✅ Tests
  • Extract server components fixture + add some failing tests (#​34995)
  • Isolate buildDir per matrix project for shared fixtures (#​35007)
  • Split env testing into separate file (fd4019cf8)
  • Use 3.x style tsconfig (86625efad)
  • Use more 3.x style tsconfigs (4a9bde3f3)
  • Correct import path (133d5f6d7)
  • Update snapshots (9fc42f788)
❤️ Contributors

v3.21.4

Compare Source

v3.21.2

Compare Source

v3.21.1

Compare Source

3.21.1 is a regularly schedule patch release.

👉 Changelog

compare changes

🩹 Fixes
  • nuxt: Correct reference format of server builder (#​34177)
  • nuxt: Add status/statusText getters to NuxtError (#​34188)
  • schema: Add direnv and vendor to default ignore (#​34190)
  • nuxt: Focus hash links after navigation (#​34193)
  • nuxt: Exclude head runtime from unhead imports transform (#​34195)
  • kit: Include prereleases in semver satisfy check (#​34210)
  • nuxt: Watch server/ for builder:watch hook (#​34208)
  • nitro: Encode unicode paths in x-nitro-prerender header (#​34202)
  • nitro: Preserve error.message for fatal errors (#​34226)
  • Only enable dynamic imports when ts plugin (#​34205)
  • webpack: Use H3Error for 403 in dev server (#​34233)
  • nuxt: Ensure NuxtError extends Error type (#​34242)
  • vite: Use H3Error for 404 in dev server (#​34225)
  • nuxt: Add backwards compat for #app barrel export in keyed functions (#​34199)
  • nuxt: Track + re-add custom routes on hmr (#​32044)
  • nuxt: Keep vnode when leaving deeper nested route (#​33778)
  • vite: Prevent CSS flickering in dev mode after config changes (#​33856)
  • nuxt: Do not start view transition i

Note

PR body was truncated to here.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Aug 5, 2024

Copy link
Copy Markdown

Deploying form-actions-nuxt with  Cloudflare Pages  Cloudflare Pages

Latest commit: 18f9fe8
Status:🚫  Build failed.

View logs

@renovate renovate Bot requested a review from Hebilicious as a code owner August 5, 2024 20:40
@renovate renovate Bot force-pushed the renovate/npm-nuxt-vulnerability branch from 1031c6a to c0546e8 Compare March 5, 2025 11:18
@changeset-bot

changeset-bot Bot commented Mar 5, 2025

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: 18f9fe8

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@renovate renovate Bot force-pushed the renovate/npm-nuxt-vulnerability branch from c0546e8 to a4c4cd1 Compare March 19, 2025 22:26
@renovate renovate Bot changed the title chore(deps): update devdependency nuxt to v3.12.4 [security] chore(deps): update devdependency nuxt to v3.16.0 [security] Mar 19, 2025
@renovate renovate Bot changed the title chore(deps): update devdependency nuxt to v3.16.0 [security] chore(deps): update dependency nuxt to v3.16.0 [security] Apr 24, 2025
@renovate renovate Bot force-pushed the renovate/npm-nuxt-vulnerability branch from a4c4cd1 to bfb2589 Compare September 17, 2025 22:06
@renovate renovate Bot changed the title chore(deps): update dependency nuxt to v3.16.0 [security] chore(deps): update dependency nuxt to v3.19.0 [security] Sep 17, 2025
@renovate renovate Bot force-pushed the renovate/npm-nuxt-vulnerability branch from bfb2589 to af65ee6 Compare October 21, 2025 10:41
@renovate renovate Bot force-pushed the renovate/npm-nuxt-vulnerability branch from af65ee6 to 6b8b473 Compare November 16, 2025 11:40
@renovate renovate Bot force-pushed the renovate/npm-nuxt-vulnerability branch from 6b8b473 to 4d3ede4 Compare December 31, 2025 14:27
@renovate renovate Bot force-pushed the renovate/npm-nuxt-vulnerability branch from 4d3ede4 to 77761f5 Compare February 2, 2026 19:07
@renovate renovate Bot force-pushed the renovate/npm-nuxt-vulnerability branch 2 times, most recently from 9a96240 to 14f56e4 Compare February 17, 2026 16:41
@renovate renovate Bot force-pushed the renovate/npm-nuxt-vulnerability branch from 14f56e4 to 2689b28 Compare March 13, 2026 10:52
@renovate renovate Bot force-pushed the renovate/npm-nuxt-vulnerability branch from 2689b28 to 75c6596 Compare March 26, 2026 17:52
@renovate renovate Bot force-pushed the renovate/npm-nuxt-vulnerability branch from 75c6596 to 844eaac Compare April 15, 2026 19:52
@renovate renovate Bot changed the title chore(deps): update dependency nuxt to v3.19.0 [security] chore(deps): update dependency nuxt [security] Apr 15, 2026
@renovate renovate Bot force-pushed the renovate/npm-nuxt-vulnerability branch from 844eaac to 2ca26b7 Compare April 16, 2026 09:22
@renovate renovate Bot changed the title chore(deps): update dependency nuxt [security] chore(deps): update dependency nuxt to v3.19.0 [security] Apr 16, 2026
@renovate renovate Bot force-pushed the renovate/npm-nuxt-vulnerability branch from 2ca26b7 to 7282c0d Compare April 16, 2026 16:20
@renovate renovate Bot changed the title chore(deps): update dependency nuxt to v3.19.0 [security] chore(deps): update dependency nuxt [security] Apr 16, 2026
@renovate renovate Bot force-pushed the renovate/npm-nuxt-vulnerability branch from 7282c0d to 8f09fb4 Compare April 17, 2026 01:12
@renovate renovate Bot changed the title chore(deps): update dependency nuxt [security] chore(deps): update dependency nuxt to v3.19.0 [security] Apr 17, 2026
@renovate renovate Bot force-pushed the renovate/npm-nuxt-vulnerability branch from 8f09fb4 to 5db1380 Compare April 19, 2026 10:18
@renovate renovate Bot changed the title chore(deps): update dependency nuxt to v3.19.0 [security] chore(deps): update dependency nuxt [security] Apr 19, 2026
@renovate renovate Bot force-pushed the renovate/npm-nuxt-vulnerability branch from 5db1380 to 8d02163 Compare April 19, 2026 16:53
@renovate renovate Bot changed the title chore(deps): update dependency nuxt [security] chore(deps): update dependency nuxt to v3.19.0 [security] Apr 19, 2026
@renovate renovate Bot force-pushed the renovate/npm-nuxt-vulnerability branch from 8d02163 to acc9040 Compare April 21, 2026 16:37
@renovate renovate Bot changed the title chore(deps): update dependency nuxt [security] chore(deps): update dependency nuxt to v3.19.0 [security] Apr 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-nuxt-vulnerability branch from 16094cd to daddff7 Compare April 30, 2026 17:02
@renovate renovate Bot changed the title chore(deps): update dependency nuxt to v3.19.0 [security] chore(deps): update dependency nuxt [security] Apr 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-nuxt-vulnerability branch from daddff7 to bda6207 Compare April 30, 2026 23:51
@renovate renovate Bot changed the title chore(deps): update dependency nuxt [security] chore(deps): update dependency nuxt to v3.19.0 [security] Apr 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-nuxt-vulnerability branch from bda6207 to f6f05dc Compare May 12, 2026 09:59
@renovate renovate Bot changed the title chore(deps): update dependency nuxt to v3.19.0 [security] chore(deps): update dependency nuxt [security] May 12, 2026
@renovate renovate Bot force-pushed the renovate/npm-nuxt-vulnerability branch from f6f05dc to 2cebd6b Compare May 12, 2026 15:13
@renovate renovate Bot changed the title chore(deps): update dependency nuxt [security] chore(deps): update dependency nuxt to v3.19.0 [security] May 12, 2026
@renovate renovate Bot force-pushed the renovate/npm-nuxt-vulnerability branch from 2cebd6b to 53ba7c6 Compare May 14, 2026 16:27
@renovate renovate Bot changed the title chore(deps): update dependency nuxt to v3.19.0 [security] chore(deps): update dependency nuxt [security] May 14, 2026
@renovate renovate Bot force-pushed the renovate/npm-nuxt-vulnerability branch from 53ba7c6 to fa6dd30 Compare May 14, 2026 20:31
@renovate renovate Bot changed the title chore(deps): update dependency nuxt [security] chore(deps): update dependency nuxt to v3.19.0 [security] May 14, 2026
@renovate renovate Bot force-pushed the renovate/npm-nuxt-vulnerability branch from fa6dd30 to 6f64953 Compare May 18, 2026 16:16
@renovate renovate Bot changed the title chore(deps): update dependency nuxt to v3.19.0 [security] chore(deps): update dependency nuxt [security] May 18, 2026
@renovate renovate Bot force-pushed the renovate/npm-nuxt-vulnerability branch from 6f64953 to 6a78603 Compare May 18, 2026 22:09
@renovate renovate Bot changed the title chore(deps): update dependency nuxt [security] chore(deps): update dependency nuxt to v3.19.0 [security] May 18, 2026
@renovate renovate Bot force-pushed the renovate/npm-nuxt-vulnerability branch from 6a78603 to 609f75c Compare May 19, 2026 17:59
@renovate renovate Bot changed the title chore(deps): update dependency nuxt to v3.19.0 [security] chore(deps): update dependency nuxt to v3.21.6 [security] May 19, 2026
@renovate renovate Bot force-pushed the renovate/npm-nuxt-vulnerability branch from 609f75c to fdc7392 Compare June 11, 2026 18:38
@renovate renovate Bot changed the title chore(deps): update dependency nuxt to v3.21.6 [security] chore(deps): update dependency nuxt [security] Jun 11, 2026
@renovate renovate Bot force-pushed the renovate/npm-nuxt-vulnerability branch from fdc7392 to 8dec5d5 Compare June 12, 2026 01:55
@renovate renovate Bot changed the title chore(deps): update dependency nuxt [security] chore(deps): update dependency nuxt to v3.21.6 [security] Jun 12, 2026
@renovate renovate Bot force-pushed the renovate/npm-nuxt-vulnerability branch from 8dec5d5 to 99bca5d Compare June 18, 2026 21:12
@renovate renovate Bot changed the title chore(deps): update dependency nuxt to v3.21.6 [security] chore(deps): update dependency nuxt [security] Jun 18, 2026
@renovate renovate Bot force-pushed the renovate/npm-nuxt-vulnerability branch from 99bca5d to 64084c1 Compare June 19, 2026 03:08
@renovate renovate Bot changed the title chore(deps): update dependency nuxt [security] chore(deps): update dependency nuxt to v3.21.6 [security] Jun 19, 2026
@renovate renovate Bot force-pushed the renovate/npm-nuxt-vulnerability branch from 64084c1 to 18f9fe8 Compare June 20, 2026 01:42
@renovate renovate Bot changed the title chore(deps): update dependency nuxt to v3.21.6 [security] chore(deps): update dependency nuxt to v3.21.7 [security] Jun 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants